Update On The Health Net Breach

The Arizona Attorney General acted first after 1.5 million consumer records were exposed or stolen during this data breach. Earlier this week, the Hartford Business Journal reported:

"Attorney General Richard Blumenthal says a missing disk containing confidential data on almost 450,000 Health Net patients in Connecticut may have been stolen, rather than lost. Blumenthal said today he is notifying federal criminal investigators, asking that they take a closer look into the matter... Blumenthal said Health Net lost the information in May, but never informed consumers, the police or his office about the loss of information. He said the six-month delay in giving notice to consumers and the state could be a violation of the law. Meanwhile, Blumenthal also is probing Health Net's proposed deal to sell its northeastern licensed subsidiaries..."

While the breach has been bad news for consumers, these actions by local government are good news for consumers and breach victims. I wish Connecticut Attorney General Blumenthal continued success.

Health Net May Have Violated Consumer Notification Laws After Its Data Breach

From the Boston Examiner:

"On Friday Attorney General Terry Goddard called on Health Net, a Connecticut-based insurance company, to immediately notify its Arizona policyholders whose personal, medical and financial information was either lost or stolen in a data breach that occurred six months ago. He said further that his Office will open an investigation to determine whether a state law requiring prompt notification was violated. Health Net notified the Arizona Department of Insurance on Wednesday that a hard drive containing personal data on some 316,000 present and former Arizona policyholders has been missing since May from the company's headquarters in Shelton, Conn. The company has yet to contact the affected policyholders about the breach, however, saying it plans to send letters to them soon."

Soon? The company already waited six months after the breach to notify State of Connecticut officials. To learn more, read this prior blog post.

Violent Criminals Switch To Medicare Fraud

This is not good news. Breitbart reported:

"... Mafia figures and other violent criminals are increasingly moving into Medicare fraud and spilling blood over what once a white-collar crime... For criminals, Medicare schemes offer a greater payoff and carry much shorter prison sentences than offenses such as drug trafficking or robbery... Medicare scammers typically make their money by billing Medicare for medical equipment and drugs that patients never receive—and never needed. Some pay homeless people on Los Angeles' Skid Row for Medicare or Social Security numbers to use in fake billing invoices. Others intimidate elderly victims to use their Medicare numbers, federal authorities say."

This shift suggests that many local governments and cities need to stiffen the penalties and prison time for identity theft, Medicare, and related fraud crimes:

"Most Medicare schemes are based in cities such as Miami, Los Angeles, Detroit and Houston... A Medicare scammer could easily net at least $25,000 a day while risking a relatively modest 10 years in prison if convicted on a single count. A cocaine dealer could take weeks to make that amount while risking up to life in prison."

The Consequences When An Identity Thief Commits A Crime In Your Name

This is a horrible experience for any person. The Omaha World-Herald reported a particularly nasty case where a citizen was jailed twice due to mistaken identity:

"Last week, Salazar, 38, spent a night in the Douglas County Jail after he and his girlfriend called Omaha police to report a burglary. Ten months ago, he spent two weeks, including Christmas and New Year's Day, in jail after being pulled over for speeding. The reason: Every time Joe Salazar comes in contact with law enforcement, police discover there's an arrest warrant out for a Joe Salazar for failing to appear for sentencing in a 2002 drug case."

The real Joe Salazar lost his wallet in a restaurant: identification, Social Security number, date of birth, and other sensitive personal data. The criminal used Salazar's identity during a crime and then skipped out on bail from a scheduled court data. Hence, the arrest warrant for Salazar and local law enforcement keeps arresting the real Salazar.

Local law enforcement doesn't know the criminal's identity, but they do have his finger prints. Obviously, the real Salazar would like to see some fast, corrective action of his situation with the criminal caught. The real Salazar said:

"It's frustrating, because you know there's nothing you can say or do to convince (police)... I tell them ‘You've got the wrong guy. But I'm sure they hear that all the time.”

What can a consumer do to resolve this? Nothing that I know of. Salazar's problem will continue until the criminal is caught. Will any credit monitoring service help? No. Those services are for helping consumers protect their credit report, not for crimes. With the increasing number of data breaches with stolen consumers' sensitive data, I fear that cases like Joe Salazar's will only happen more often.

[Oct. 16 - Editor's Note: I encourage readers to read the comments below. Several readers submitted informative comments which consumers may find useful.]

Breach Notification Laws By State Since 2004

Creditcards.com has a pretty good interactive map of the states that have breach notification laws for consumers. You can easily see by year which states added a law requiring companies to notify affected consumers after a data breach.

There are two problems I see. First, residents of South Dakota, Alabama, Kentucky, New Mexico and Mississippi are pretty much out of luck. These states lack laws requiring companies to notify affected consumers after a breach. For the rest of us, notification is required but varies by state, by the format of the information, and the type of information stolen.

A better map presentation would have overlaid breach notification for consumers' financial information with consumers' medical records.

Former Councilman Gets One Year In Prison For Computer Spying

I think that it is important for criminals to experience consequences. The ends do not justify the means. The Greenville News (North Carolina) reported:

"A federal judge sentenced former Greenville County councilman Tony Trout to one year in prison on computer spying charges on Wednesday, telling the former police officer that he violated the public's trust... Trout told U.S. District Judge Henry Floyd that he was wrong to implant a bug on County Administrator Joe Kernell's computer that allowed him to access Kernell's personal emails... A jury convicted Trout in April on four counts of computer spying and wiretapping after Trout testified in his own defense that he didn't know that it was illegal to intercept Kernell's personal e-mails through the administrator's computer and private Yahoo account. Trout's stated intention was to expose what he saw as government corruption and that he thought county employees had no right to privacy on work computers..."

Trout's actions violated the Electronic Privacy Communications Act.

Breach Notification: Vermont And Wisconsin Do It Right

While surfing the Web, I was pleased to discover that both the Vermont Attorney General's Office and the Wisconsin Office of Privacy Protection publish on their Web sites the breach notification letters they received from companies, schools and governments. Vermont's coverage starts with March 2008. Wisconsin's coverage starts with 2006.

This is great news. These online disclosures allow residents of these states to verify any breach notification letters they may receive directly from companies. I have written previously in this blog about other states that provide similar online disclosures: Maryland and New Hampshire.

In my opinion, all 50 states should do this. There is no downside. Sadly, my state, Massachusetts currently does not.

California Identity Theft Legislation (SB-20)

Earlier this week, SC Magazine reported that the California State Senate passed SB-20. This is good news for consumers. California Senate Bill SB-20 requires:

"... any agency, person, or business that must issue a security breach notification pursuant to existing law to fulfill certain additional requirements pertaining to the security breach notification, as specified. The bill would also require any agency, person, or business that must issue a security breach notification to more than 500 California residents pursuant to existing law to electronically submit that security breach notification to the Attorney General."

Current laws require companies and agencies to tell affected consumers only that a breach occurred, and don't require the disclosure of details about the breach (e.g., number of consumers affected, types of data lost or stolen, events that led up to the breach, status of the post-breach investigation, etc.). While California has led the nation in passing consumer-friendly identity-theft legislation, this new legislation fills a critical gap. The additional requirements in California Senate Bill SB-20:

"The security breach notification shall include, at a minimum, the following information:
(A) The name and contact information of the reporting agency subject to this section.
(B) A list of the types of personal information, as defined in subdivision (g), that were or are reasonably believed to have been the subject of a breach.
(C) The date, estimated date, or date range within which the breach occurred, if that information is possible to determine at the time the notice is provided, and the date of the notice.
(D) Whether the notification was delayed as a result of a law enforcement investigation.
(E) A general description of the breach incident.
(F) The estimated number of persons affected by the breach.
(G) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a bank account or credit card number, a social security number, or a driver's license or California identification card number."

In order to make timely and effective decisions to protect their sensitive personal data, consumers need to be fully informed about data breaches. In my experience, IBM's breach notice never disclosed the number of records lost/stolen or the number of consumers affected by its February 2007 breach. Nor did IBM disclose the results of its breach investigation, or even if it fired/reprimanded the vendor involved.

Earlier this month, my wife received a breach notice from her credit union. That notice lacked details about both the breach and the follow-up investigation.

The California Senate Bill SB-20 is a good bill. Thanks to California State Democrat Senator Joe Simitian for introducing SB-20. (He also sponsored SB-1386, the landmark 2003 identity theft legislation that paved the way for other states' identity theft legislation.)  I hope that the California Assembly approves it and that Governor Schwarzenegger signs it. I hope that other states pass similar legislation. If you agree, tell your elected officials today.

Can Consumers' Computers Connected to The Internet Be Secure? Government Spying, Breaches, and 'GhostNet'

My head is still spinning from these massive data breaches. Yesterday's Wall Street Journal reported:

"Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever -- according to current and former government officials... Similar incidents have also breached the Air Force's air-traffic-control system in recent months... In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems... The latest intrusions provide new evidence that a battle is heating up between the U.S. and potential adversaries over the data networks that tie the world together."

Like other consumers, I expect my government to fully protect itself and its assets -- and hence me. What the US Government is doing to protect itself:

"The U.S. has no single government or military office responsible for cyber security. The Obama administration is likely to soon propose creating a senior White House computer-security post to coordinate policy and a new military command... The Bush administration planned to spend about $17 billion over several years on a new online-security initiative and the Obama administration has indicated it could expand on that."

Earlier this month, WBUR's OnPoint program reported about the unmasking of GhostNet:

"... a crack team of computer sleuths in Canada unveiled a global computer spying network, apparently run out of China, called “GhostNet.” It’s a spying operation that has reached into more than a thousand key computers around the world, rifling through high-security files, even turning on computers’ cameras and microphones to watch and listen from halfway round the world."

The spying was first uncovered in Tibet. The investigative team would uncover over 1,000 "participating" computers. Countries are spying on each other, and are often using consumers' Internet-connected computers to do the grunt work. Computers far beyond Microsoft-Operating-System computers were targeted. New terms and phrases have emerged to describe the activities and players: "Command-and-control Server," "Geo-Political Competition in Cyber-space," "Arms Race in Cyber-space," "Cyber-Warfare," "InfoWar," "Byzantine Hades," "Cyber-Terrorism," "Ghost Rat," "Patriotic Hackers," and others. Reportedly, the supposedly secure and encrypted Skype system was also compromised.

It would seem that the cold war has moved to the Internet, and that the Internet is becoming militarized. I encourage you to listen to the WBUR OnPoint podcast.

Unreported Data Breach at TrueCredit.com, Trilegiant, or Great Fun?

Recently, an I've Been Mugged reader wrote:

"Do not sign up for truecredit.com. Here is the path of relationship association that reveals big problems with id theft. Here goes...Transunion's subsiderary with truecredit which DBA great Fun (among others) is owned by Trilegiant (formerly Cedant) Trilegiant was sued last July for $25million by the state of Illinois. Ok...how do I know all this? My identity was passed on from truecredit.com to great fun then for some strange reason...on the same day...my account got hit with almost $1,000 charges by people ordering different goods being shipped to all different states also West Africa. So what can you do? I reported to everyone I can report to and I feel this needs some national attention on a grand scale. Any suggestions? Has anyone else experienced this same nightmare?"

Trixie is correct. Trilegiant Corp settled with the State of Illinois in July 2008. According to the St. Louis Business Journal:

"Trilegiant Corp., a subsidiary of Cendant Corp., must pay $25 million to settle a class-action lawsuit filed by consumers who were charged for products they never ordered... More than one million people nationwide, including some in St. Louis, complained about the incorrect charges, said Rob Schmieder, an attorney who worked on the case."

Also:

"Norwalk, Conn.-based Trilegiant allegedly billed and collected unauthorized charges from consumers for products and memberships consumer never requested, including Privacy Guard, Credit Alert, Auto Vantage, Travelers Advantage, Buyers Advantage, Compete Home, Digital Protection Plus, Great Fun, Great Options, HealthSaver, Hotline, Just for Me, National Card Registry, NetMarket, Shoppers Advantage, Travel ER and others."

Of course, as part of the settlement deal Trilegiant admitted no wrong-doing. I checked several breach databases and did not see any breach notices from Trilegiant, Great Fun, or TrueCredit.com. Based on Trixie's experience, there seems to have been an unreported data breach by one of these companies.

If you think that you have been affected, let us know below. More importantly, consumers should report any identity theft and fraud to both their local law enforcement and to the U.S. Federal Trade Commission. If consumers still don't get any satisfaction, write to your elected officials in Congress.

U.K. Parliament Debates ISP-Based Targeted Advertising

This ClickZ news story caught my attention:

"... in the House of Commons, Members of Parliament, Lords, and industry experts met to discuss the privacy implications concerning ISP-level behavioral targeting from companies such as Phorm and NebuAd. The intention of the session, which was hosted by Liberal Democrat Home Affairs spokesperson, Baroness Sue Miller, was to "inform parliamentarians" on the issues surrounding the controversial practice... the majority of conversation focused on ad-targeting technology firm Phorm, which is currently the most advanced U.K. player in the ISP-based behavioral ad space. The company announced in February 2008 that it would partner with three of the U.K.'s largest ISPs in order to sell and target ads based on user's online interaction data. Although a number of Phorm executives were present at the event, the company was refused a place on the panel, according to CEO Kent Ertugrul."

This has implications for the USA. If targeted advertising (a/k/a behavioral advertising) gains acceptance in the United Kingdom, it could make acceptance more likely here in the USA. I have written extensively about behavioral advertising, including the role of ISPs, abuses by ISPs of consumers' privacy, the class-action lawsuit against NebuAd, and AT&T's promise to do behavioral advertising "the right way."

Can ISPs be trusted to do behavioral advertising the right way? In my opinion, no. A few might, but the industry as a whole: no. In the USA, their collective historical actions speak far louder than their collective words and promises.

My position: ISPs should not be allowed to perform behavioral advertising. Period. Why? Behavioral advertising would allow ISPs to collect (and potentially share with vendors) massive amounts of the most sensitive consumer data: every site and web page a consumer visits on the Internet, the amount of time spent at that site and at each page, keywords entered at search engine sites, instant message contents, email contents, and so forth.

The monthly tsunami of data breaches proves that corporations, including ISPs, don't take data security seriously. It seems foolish to allow ISPs to collect and archive more personal data, only for them to later lose it or have it stolen, while consumers bare the credit monitoring and recovery costs. ISPs claim that they will anonymize the data to protect consumers' privacy, but don't offer any guarantees or methods for independent verification. There is no oversight planned, so there is no way for consumers to verify that ISPs would actually live up to their promises. And, there are no penalties for abuses.

ISP-based behavioral advertising would be a train wreck.

Sir Tim Berners-Lee, director of the World Wide Web Consortium, said this about ISPs and behavioral advertising:

"There should be no snooping on the Internet; it's the equivalent of wire tapping, or opening a person's mail... I'm here today to defend the integrity of the Internet."

The article covered the comments by other experts:

"Richard Clayton, treasurer for the Foundation for Information Policy Research, agreed that ISPs had no business in intercepting user communications, stating, "Providing better ads is not the role of the ISP. It's not lawful." Meanwhile, Jim Killock, executive director of the Open Rights Group, argued the practice would "undermine our confidence in governments to preserve our basic human rights..."

According to PCPro News, Berners-Lee's comments drew this response from Phorm's CEO:

"There have been a number of things said that patently misrepresent what we do," he argued. "We have the strongest privacy protection of everyone on the internet." He then went on to claim that the media wouldn't survive without the increased targeted-advertising revenue provided by services such as Phorm... Ertugrul then accused Berners-Lee of speaking from a position of ignorance, claiming the company had invited him to inspect its technology on several occasions, which he had declined."

A position of ignorance? Pleeze! Berners-Lee invented the Internet, without which Ertugrul wouldn't have a company. Ertugrul's response to Berners-Lee was just plain rude. What's is insulting is Ertugrul's claim that the media can't survive without behavioral advertising. Where's the proof? If anything, it is ISPs clamoring for behavioral advertising, not media companies.

The strongest privacy protection? Better than banks? I doubt it. If Phorm's privacy protection is so great, they should sell it to banks and financial services companies; both of whom have already experienced numerous data breaches here in the USA.

If ISP-based behavioral advertising concerns you (and I surely hope that it does), I encourage you to write to your elected officials in the USA and tell them, "no behavioral advertising for ISPs." Plus, there is two global Facebook groups you should join:

• Stop ISPs From Breaching Customers' Privacy!
• Facebook: Tell Phorm to Eph Off and Leave My Facebook Data Alone

Need Some Cash? Report Software Piracy At Your Employer

This is capitalism at its finest. From the Los Angeles Times blog:

"Looking to make some extra cash during the recession? Turn in your bosses and co-workers for using pirated software! The Business Software Alliance said today that it paid out $136,100 last year through its "Know It, Report It, Reward It" program for "verifiable tips about software piracy."

Employees can report software piracy via www.nopiracy.com or a toll-free phone number. Does this program work? In 2008, 42 tipsters earned about $3,200 each, and:

"According to the BSA, several Southern California companies have settled software piracy cases after being reported. Among them were Acorn Engineering of City of Industry, Miller Automotive of Van Nuys, Western Power Products of Bakersfield and Z Gallerie of Gardena... the BSA's total payout increased sharply in 2008, from $23,000 in 2007 and $40,000 in 2006."

My question is this: why stop at offering rewards for tips about software piracy? I'd love to see a rewards program for tips about unreported data breaches at companies. The continual monthly incidents of data breaches indicates that too many companies fail to adequately protect the sensitive personal data of customers, employees, and former employees.

This tips program would cover both domestic USA and abroad company locations. The tips could be paid from a pool of corporate fines and settlements through a collective of participating State Attorney Generals' offices. Or the program could be administered through a co-operative of ID-theft nonprofts, like the ITRC and the PRC. Either way, it seems like a breach tips program would decrease or halt corporate data breaches.

ISPs Charge UK Child Abuse Detectives For Data

Last year, I started to follow the corporate responsibility and consumer-data-privacy habits of ISPs (Internet Service Providers) after several ISPs secretly performed targeted advertising programs without notifying their subscribers and without providing their subscribers with an opt-out method. During the last year or two, both US and UK ISPs have arrangements with targeted advertising vendors.

Given this, an IT Pro Fit For Business news story caught my attention:

"The Child Exploitation and Online Protection Centre (CEOP) told the BBC following a freedom of information request that since April of 2006 it had made 9,400 requests for user information, at a total cost of £171,505.99... the CEOP centre’s chief executive Jim Gamble said the body expected to pay as much as £100,000 to ISPs to get the information they needed to find children who were being abused – and the criminals hurting them."

Do the math and that is about £18.25 per request or about US $36. You'd think that ISPs would not charge government child abuse detectives for data. The CEOP uses information from ISPs to track online predators:

"... essentially to put a name and location to IP addresses. Some ISPs charge to supply that data, while others do not."

I think that everyone will agree that protecting children from abuse, finding abused and abducted children, and prosecuting predators is a high-priority task. I wonder what distinguishes an ISP who charges abuse detectives for data versus an ISP that provides that data for free. Is one ISP simply better managed than the other? Or is one ISP more greedy than the other? Or, is the decision to charge detectives determined by company size?

I wonder why government detectives haven't negotiated a volume-discount arrangement with ISPs for IP data, since thy know they will make a certain number of requests each year. Do the math and the 9,400 requests since 2006 equal about 3,130 requests per year.

I wonder what UK citizens think of this. Are they curious to know which ISPs charge for supplying IP data to abuse detectives? You would think that they would want to know where their tax dollars are spent. Would UK citizens shift their subscriptions to ISPs that don't charge abuse detectives for the data?

What do you think?

FTC Revises Guidelines For Online Targeted Advertising

In February, the U.S. Federal Trade Commission (FTC) revised its guidelines for companies that wish to perform targeted advertising (a/k/a behavioral advertising or behavioral targeting) programs:

"... a report describing its ongoing examination of online behavioral advertising and setting forth revisions to proposed principles to govern self-regulatory efforts in this area. The key issue concerns how online advertisers can best protect consumers’ privacy while collecting information about their online activities."

In 2008, I wrote a series of blog posts about targeted advertising, the FTC's request for feedback from consumers, the role of ISPs, and associated privacy and data breach concerns. Since then, the FTC has modified slightly its guidelines in this latest report. I am following the FTC's actions on this topic because it must balance the needs of businesses against the data security needs of consumers. It's not just a privacy issue, but also a data security issue.

In its press release, the FTC said:

"... most of the public comments the FTC received concern the scope of the proposed principles. For example, commenters discussed whether it is necessary to provide privacy protections for data that is not personally identifiable. In response, the report states that privacy protections should cover any data that reasonably can be associated with a particular consumer or computer or other device."

So far, okay. There's more:

"... commenters questioned the need to apply the principles to (1) “first party” behavioral advertising, in which a Web site collects consumer information to deliver targeted advertising at its site, but does not share any of that information with third parties, and (2) contextual advertising, which targets advertisements based on the Web page a consumer is viewing or a search query the consumer has made, and involves little or no data storage. The report concludes that fewer privacy concerns may be associated with “first-party” and “contextual” advertising than with other behavioral advertising, and concludes that it is not necessary to include such advertising within the scope of the principles... however... companies must still comply with all applicable privacy laws..."

So far, okay. There's more:

"The report also provides additional guidance regarding each of the four principles and sets forth revised principles reflecting this guidance. The first principle – transparency and consumer control – remains unchanged... Web sites are expected to provide clear and prominent notice regarding behavioral advertising, as well as an easily accessible way for consumers to choose whether to have their information collected... privacy policies posted on companies’ Web sites often are long and difficult to understand, the report encourages firms to design creative and effective disclosure mechanisms... the report continues to urge companies to provide reasonable security for any data they collect for behavioral advertising and to retain data only as long as it is needed to fulfill a legitimate business or law enforcement need."

So far, okay. The guidelines that changed:

"... the report clarifies that its focus is on retroactive changes – for example, material changes to a privacy policy that affect information a company collected prior to the changes... some form of prominent notice and opt-out choice may be sufficient. Finally, due to the heightened privacy concerns raised by the collection and use of consumers’ sensitive data, the report continues to urge companies to obtain affirmative express consent before collecting such data for behavioral advertising."

The FTC is urging companies to use opt-in mechanisms and not opt-out mechanisms. That is, consumers only participate in a company's targeted advertising program after expressly opting into the program. Prior attempts by ISPs and others were automatic inclusion forcing consumers to opt-out. Opt-in is more consumer friendly and compatible. I wish that the FTC was stronger in its language. "Urge" does not seem compelling enoough. "Require" would have been far better.

Consumers interested in details should download the FTC report (PDF, 412k bytes).

Santa Fe Group And ID Experts Announce 'Bill of Rights' For ID-Theft Victims

Last week, the Santa Fe Group and ID Experts announced a 'Bill of Rights' for Identity theft victims. The document includes five basic rights to help consumers who are victims of identity theft and data breaches to protect and correct their personally identifiable information (PII) records:

1. Assessment of the nature and extent of the crime that removes the procedural “Catch-22s” when validating identity
2. Full restoration of victims’ identities to pre-theft status, including the ability to expunge records
3. Freedom from harassment from collection agencies, law enforcement and others
4. Prosecution of offenders and accountability for businesses that fail to reasonably secure personal information
5. Restitution that includes repayment for financial losses and expenses

For people who are unfamiliar with the issues, the white paper provides a background on the issues and trends about identity theft and identity restoration -- the challenges to consumers when fixing damage done by identity thieves. The white paper effort was led by the Identity Management Working Group of The Santa Fe Group Vendor Council chaired by Rick Kam, President of ID Experts. Kam noted:

“Despite new additions to the Fair and Accurate Credit Transaction Act of 2003 (FACT), such as free credit reports and the ability to place fraud alerts after identity theft, victims are still subject to inconsistent and unfair treatment from state and federal agencies, law enforcement and businesses. We created the Bill of Rights to empower victims by granting them the same rights as victims of other crimes.”

The Santa Fe Group is a consulting company to financial institutions and related infrastructure companies. ID Experts provides services to companies and to consumers covering identity restoration. Consumers and companies can download for free the Bill of Rights white paper, titled "Victims’ Rights: Fighting Identity Crime on the Front Lines" (364 K Bytes, Adobe PDF format; registration required).

This "Bill of Rights" is an excellent idea for several reasons. As Kam said above, consumers receive inconsistent treatment within and across States. First, most but not all States have laws defining what is personally identifiable information, and how companies and government agencies should protect that information. Second, most but not all States have laws requiring companies and government agencies to notify consumers after a data breach.

Third, most states do not define the content of what the components should be in a credit monitoring service offered in a company's post-breach response. This places consumers in a difficult situation thinking that their state has provided them with some protection, when in fact that protection is far weaker than they realize. Fourth, most consumers have no idea what to do to restore their identity information after damage by identity thieves.

Fifth, only a handful of states have laws protecting consumers against ID-theft involving RFID cards. There are so many ways identity thieves can steal consumers' sensitive data, that it makes sense to strengthen laws to help consumers fix the damage done by identity thieves. Sixth, only a couple states -- Maryland and New Hamsphire -- post online the breach notices received to help consumers verify breach notices.

Reengineering U.S. Government, Lou Gerstner, and John Madden

[Editor's Note: Today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

Shortly after the Super Bowl, I was speaking with a life-long friend, Mike Siani, NFL scout, coach and former Oakland Raiders wide receiver. I said, “You know Mike, I always loved when John Madden was your coach and on first downs he would use three wide receivers (Fred Biletnikoff, Siani, and Cliff Branch) and send you all down field for a big gain pass play from QB Ken Stabler.“ (In Mike’s 9-year playing career alone, he averaged some 17 yards after each catch). “Today, most teams are so predictable. They run on the first two downs and then they try the pass on the third down.”

I can still hear it in Madden’s voice today when he says, I’d pass on first down, you’ve got be more aggressive right out of the box. Go for it!

Another person who liked “going for it” in business was Lou Gerstner, the former CEO of IBM. There are at least two things Lou is known for. The first is being bold and the second being successful.

If you are holding an American Express card, chances are it’s because of the way Lou Gerstner changed their card business between 1978 and 1989. If you enjoyed a Nabisco cracker during the Super Bowl, chances are you can thank Lou Gerstner and the fact the IBM is still one of the most successful American companies is definitely because of Mr. G.

His efforts at IBM are well known to me, in part because my business partner, Hunter Grant and I were hired as an outside consultant to review and second-guess their Internet strategy in the mid-1990’s. During that time, we looked at quite a number of projects and found them wanting, not because they didn’t have great people, but because they weren’t current with the rapid changes occurring in the information technology marketplace at the time. In addition, the organization had become so large, that it was getting in its own way in creating new products. Gerstner changed that, but only after instilling in the company a belief that change and a willingness to accept ongoing examination and criticism were good things that could help drive new growth.

It was no surprise to me then when I received my September 18, 2008 edition of BusinessWeek and found that Lou Gerstner had written a great column entitled. “It’s Time To Reengineer U.S. Government”. In this now five-month old article, Gerstner said:

Amid the ongoing turmoil, it seems obvious we must reinvent our government and create an efficient system that can anticipate and avoid major crises. Despite many opportunities, however, this is not a lesson we have taken to heart. Whether the task is fixing health care, upgrading K-12 education, bolstering national security, or a host of other missions, the U.S. is better at patching problems than fixing them. Part of the reason is that we have two parties lacking comity and a sense of shared national responsibility. But beyond the partisan divide, I would argue that the processes of government are broken, preventing us from taking responsible actions.”

In the article, he invited readers to visit USA.gov and there he said:

“You'll find thousands of directorates, agencies, boards, offices, and services replete with overlapping responsibilities, ancient priorities, and divided accountability.”

He continued:

“We do not need Departments of Commerce, Labor, and Education; we need a single Department of Skills that will promote an integrated approach to global competitiveness. Our military should be trained and structured around missions, not the elements of air, water, and land. That requires fundamental change, but instead, the Defense Dept. has established an overlay of "commands" to compensate for organizational deficiencies. Does it make sense, in 2008, even to have a Bureau of Alcohol, Tobacco, Firearms & Explosives? If so, why is it part of the Treasury Dept.?”

when it gets to the financial sector, Mr. Gerstner stated:

“... the regulatory processes in place are ad hoc and depend on leaders undertaking risky initiatives. Now more than ever, we need a single federal organization to oversee all of our financial institutions.”

In addition to calling for bipartisan action and business cooperation, he suggests the creation of a commission similar to the one established by President Reagan in 1982 that became known as the Grace Commission (named after its chairman and my former boss, the late J. Peter Grace, Jr.) It was this commission that uncovered great government waste. In its final report, the Commission concluded that nearly one-third of all taxes collected by the federal government were squandered through inefficiency. Although, as Mr. Gerstner stated in his article, 2,478 recommendations were made, few were ever tried.

I agree with Lou Gerstner. A government reengineering team should be created, reporting directly to the President. It should be vigorous in its effort to create change not for change sake but because we know that government no longer works. It is a broken system. We are much better off defining new requirements and creating a new government structure, that we can migrate to, one that is lean, flexible and powerful enough to efficiently meet the needs of tomorrow’s citizens.

Come on, don’t be afraid, you’ve got to be more aggressive out of the box. Go for it!

© 2009 WBSeebeck

FEMA Data Breach, Secrecy, And ID Experts Helps With FEMA's Breach Response (Part One)

In December 2008, the Federal Emergency Management Agency (FEMA) issued a press release about its data breach after a consumer:

"... notified FEMA that their personal information pertaining to Hurricane Katrina was posted on the internet. FEMA took immediate and aggressive action to verify that the information posted was indeed tied to FEMA applicants from Hurricane Katrina. FEMA swiftly contacted the website hosting the private information, and worked with them to have this private information removed from public view. Additionally, FEMA identified a second website posting the same information. We also contacted this second website and worked with them to have the private information removed from public view."

The breach affected about 17,000 consumers, and included sensitive consumer data:

"The information posted to the sites... included applicant names, social security numbers, addresses, telephone numbers, email addresses and other disaster information regarding disaster applicants from Hurricane Katrina who had evacuated to Texas. Katrina evacuees listed were from across the Gulf Coast."

FEMA learned about the data breach on December 16 and issued the press release on December 19. That's fast and good. However, much of the press release includes an attempt by FEMA to place blame for the breach on an unnamed state agency:

"... social security information was not in the same format as what would be provided by NEMIS [a FEMA database]. There were also fields that are foreign to the information maintained by FEMA. FEMA believes that most of the applicant information posted on the websites was properly released by FEMA to a state agency which requested and received this information to fulfill routine needs following Hurricane Katrina."

What's with the C-Y-A explanation? Consumers want and need to know two things: a) what is FEMA doing to help breach victims, and b) what are FEMA and the state agency doing to prevent future breaches like this one. Sensitive consumer data has been exposed and no amount of C-Y-A is going to change that. The FEMA press release explains some of "a" and none of "b." Not good.

Nor does the press release disclose the specific state agency involved. Not good. Why the secrecy? Consumers need to know which state agency and that FEMA is working with that state agency to ensure adequate data security so that another breach by a state agency doesn't happen again. Ditch the secrecy and just tell consumers what they need to know with transparency. And keep consumers informed with updated status of the breach investigation.

If the state agency can't comply with reasonable and currently established data security methods, then consumers need to know that. And FEMA needs to an alternative state agency. The secrecy doesn't help anyone.

Tomorrow: a look at the breach response and credit monitoring service FEMA arranged.

Massachusetts Gets Tough On Data Security (Part One)

Changes are coming to Massachusetts businesses. Bank Systems & Technology reported:

"... come May 1, [companies and banks] will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security. The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope... They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information."

There are several personal data items consumers must protect. Companies and banks keep a wide range of sensitive data about consumers (e.g., customers, employees, contractors, and former employees) which they don't always protect. What makes the Massachusetts law stricter:

"... companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled. The rules also extend to entities' service providers and the degree to which they too much show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules."

Now that's a law I like. Clear data security protections for consumers. There's more:

"Under the rules, companies have a duty to monitor their security programs on an ongoing basis... The safeguards in the program must be administrative, technical and physical in nature. Entities will be required to identify all records used to store personal information... Businesses must also identify and assess both internal and external risks to the organization. Once these steps are completed, they must then evaluate (and improve, if necessary) the safeguards in place around such areas as employee training and physical security... companies will be obligated to limit the collection and use of personal information. They must identify the purposes for which they collect this kind of information and identify how long the wish to keep it and who can access it."

Since so many company data breaches have involved laptop computers and flash drives, the rules also cover employee training and:

"Companies will be required to encrypt data that is not only stored but also when it is being transmitted over networks or physically moved as when an employees take a laptop home."

Amen. That's pretty good legislation which covers most of the problem areas that cause data breaches. However, I would have liked to have seen specific protections in the legislation about RFID, and jail time for executives at companies that don't comply or experience repeated data breaches.

I encourage Massachusetts residents to write to their elected officials and thank them for these new data security. I encourage residents in other states to ask their elected officials what they are doing about data security so their state does not fall behind Massachusetts.

Equifax Pays $65K To The State Of Indiana For Violating Security Freeze Law

During the run-up to the holidays, I almost missed this news item. It received coverage by news organizations in the State of Indiana, but lesser coverage elsewhere. According to the ConsumerAffairs.com site:

"Equifax Information Services has agreed to pay $65,000 to resolve allegations that the company failed to comply with Indiana's security/credit freeze law.... Attorney General Steve Carter obtained a consent judgment after charging that the credit agency failed to place security freezes and failed to issue freeze confirmations and unique personal identification numbers to Indiana consumers within the timeframes as defined by state law."

Basically, Equifax did not admit any guilt, and paid the fine since it violated state law. Hence, the word "allegation" was used above.

In Indiana, credit-reporting agencies are supposed to place a credit-report freeze within 5 business days of receiving a consumer's letter. According to Carter's allegations, Equifax didn't do that fast enough for 19 consumers, including a two-month delay for one consumer. In Indiana, credit reporting agencies are also required to notify consumers within 10 business days that their credit reports have been frozen. According to Carter, Equifax failed to do that for 24 consumers, and it took 6 months to notify one consumer.

It's good to see a state's attorney general looking out for the needs of consumers by monitoring compliance to Security Freeze laws. Most state have Security Freeze laws, and I wonder how many other states are monitoring compliance:

"It is believed that the Indiana Attorney General's Office is the first to enforce the consumer credit freeze statute against one of the three national credit-reporting agencies."

Attorney General Carter summed up the situation well:

"This law was enacted to give consumers a layer of protection against identity theft and other forms of personal identity fraud... The freeze doesn't provide the protections it was designed to give our citizens when the required timeframes and other requirements of the law are not followed."

I have a freeze on my credit reports and I encourage consumers to do the same, especially if your sensitive personal data has been exposed during a corporate data breach. But note, a Security Freeze is not a cure-all. And, read this review if you are considering Equifax's "3-in-1" credit monitoring service.

Caroline Kennedy – Privacy Rights Advocate

[Editor's Note: I am pleased to present another guest post by William Seebeck. I've known "Willie" for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

The 17th Amendment to the Constitution of the United States allows a governor of a state to appoint an individual to the U.S. Senate when the sitting Senator has resigned, died or is unable to continue to serve. This appointed person is temporary and will serve out the remainder of an unexpired term. When the term expires, the seat will become vacant and an election will he held for it.

This has been going on since the amendment was ratified by the states in 1913. It has become news in 2009, because a large number of senators, in addition to the president and vice president-elect, have been chosen to work in the Obama administration.

One of the states where a new senator will be named is New York. Governor Paterson will name a replacement for Senator Clinton who has been nominated by the President-elect to be U.S. Secretary of State.

One of the individuals who might be named and has publicly expressed interest for the job and met with the Governor is Caroline Kennedy, daughter of the late President John F. Kennedy. Some say that Caroline, 51 does not have enough qualifications. I say, not only does she have enough qualifications but also has a specialty that I believe must be front and center today and that is our right to privacy.

In addition to seven other books she has written, Caroline along with Ellen Alderman wrote two books on the subject, one in 1991, entitled, “In Our Defense: The Bill of Rights in Action” and in 1995, “Right to Privacy”.

I bought “Right to Privacy” when it came out in 1995. as I was very concerned about privacy issues in the expanding online industry. It was a fantastic book and as far as I am concerned one of the best on the subject. The content covered privacy in all aspects of our daily lives and was eye-opening.

So when I heard that Caroline Kennedy was interested in serving as a U.S. Senator, I thought, well we now have someone who understands the privacy issue and will have the clout to be the people’s advocate on the national stage. Lucky us.

I should also point out that in addition to being the daughter of the late President and an author, she is a graduate of Radcliffe College and Columbia Law School. She is a member of the bar association in New York and Washington, DC. Ms. Kennedy serves on the board of directors of the Commission on Presidential Debates and the NAACP Legal Defense and Educational Fund. President-elect Obama named her co-chair of his Vice Presidential Search Committee that recommended then Senator Joseph Biden.

I’m sure my old squash opponent, Al Franken would agree, she’s qualified.

© 2009. WBSeebeck