Chicago Theft Ring Received Sentences For Card Skimming Crimes

In a Chicago court, several defendants were sentenced for card skimming thefts and fraud. The sentences ranged from six years of prison time for the ringleader to two years of probation for other members of the theft ring.

The thieves, working with employees at several fast-food restaurants in Chicago, had allegedly swiped consumers' debit/credit cards through small portable readers to obtain their card numbers. The theft ring then allegedly created fake cards with the stolen card numbers and purchased about $200,000 in merchandise.

Affected consumers had accounts at several banks: Chase, Citibank, Fifth Third Bank Harris Bank, U.S. Bank, Bank of America, and American Express. Reportedly, the banks assisted local law enforcement with the investigations. The seven defendants included:

• Joseph Woods, 33 (the ringleader)
• William Washington, 31
• Alex Houston, 23
• Britain Woods, 34
• Jenette Farrar, 35
• Essence Houston, 29
• Kenyetta Davis, 33,

Congratulations to both local law enforcement and the judicial system.

The State Of Texas Made $2.1 Million In 2012 Selling Drivers Personal Information

The CBS television network affiliate in the Dallas/Ft. Worth area reported that the State of Texas made $2.1 million in 2012 by selling the personal information of Texas drivers. Who buys this information collected by the Texas Department of Motor Vehicles:

"CBS 11’s I-Team Investigator Mireya Villarreal discovered nearly 2,500 agencies or businesses purchased the DMV’s data in some form last year. On this list there are towing companies, collection agencies, insurance companies, hospitals, banks, schools, city governments, and even private investigators."

The Driver Privacy Protection Act (DPPA) limits who can buy this information and what they can do with it. The report also highlighted the situation that Texas drivers cannot opt out of these sales.

CBS 11 provided a spreadsheet file which listed the companies that purchased information about Texas drivers. I spent some time reviewing the spreadsheet file and found:

• What happens in Texas doesn't stay in Texas. Companies from 30 different states purchased the information about Texas drivers
• Information about Texas drivers is popular. About 2,450 companies purchased information from at least 12 different business types
• Expected the unexpected. Businesses that purchased driver data included some you'd expect (e.g., auto dealers, banks, finance companies, title services), but also some you might not expect. The list of business types included auto actions, auto dealers, banks/credit unions, city agencies, collection agencies, finance companies, private investigators, salvage yards, title services, universities and colleges, and wrecker services
• Other who? The "Other" business type seemed to include some interesting organization names from the legal, oil, healthcare, software, and telecommunications industries; plus federal government agencies and some high schools.

The report did not mention the number records each company purchased, the total number of records purchased, or who the largest purchasers were. Knowing this would have enabled a deeper analysis. Then, you could compute an implied value to an average Texas driver's record.

The best comparison I can make is that the State of Florida made about $63 million in 2010 by selling drivers information, with an average value per record of about $ .01. This makes one wonder if Texas government officials did a poor job of selling driver information, or Florida government officials did an exceptional job.

While I didn't see in the Texas list of purchasers the high-profile names of data brokers from the Florida sales, I assume that intermediaries were used.

After reading the Texas DMV webpage about the DPPA, I felt that this page could do a far better job of informing consumers what is really happening. Other states say little in their websites about the money they make from DPPA sales.

What do you think of your state making money by selling your personal information?

Chicago Transit Authority Riders To Use New Ventra Card Starting This Summer

Last month, the CBS television network affiliate in Chicago reported about a new fare card to be offered this summer in Chicago by the local public transit authority. The news report stated:

"... one of the companies behind the new card gets an F rating from the Better Business Bureau... It will be offered by Money Network, which is owned by First Data. Money Network currently has an F rating with the BBB."

Reportedly, the "F" rating was based on complaints by consumers since 2010. Chicago officials said that the new Ventra fare system will save the Chicago Transit Authority (CTA) about $50 million during its 12-year contract with Money Network.

The new Ventra fare card will be available for Chicago consumers during the summer of 2013. Consumers will have the option to use the Ventra card to pay for CTA fares, or to opt in and also use it as a prepaid debit card to pay for purchases at local retail stores. By 2014, the CTA will migrate fully from the current Chicago Card and Chicago Card Plus payment methods to the new Ventra system. In the future, consumers will also be able to pay using their smart phones.

I visited the Ventra Chicago website to learn more. The website provides some information about this new fare and prepaid card:

"Cards are issued by MetaBank™, Member FDIC, pursuant to license by MasterCard International Incorporated. MasterCard and the MasterCard Brand Mark are registered trademarks of MasterCard International Incorporated."

This means that both the CTA and its riders will be doing business with MetaBank. Consumers that activate the prepaid debit option on their Ventra card will definitely want to know what bank is used, especially if there are problems or need help. (What could go wrong with a prepaid card? Read parts 1 and 2 about a consumer's experience with a healthcare prepaid card.) Since Money Network is a Ventra vendor, it means that Money Network (e.g., First Data Corp.) will likely perform the payment transaction processing.

You never heard of MetaBank? There is a pretty useful summary of MetaBank at the GetDebit website:

After reading the Ventra Chicago website, I also expected to find the full terms and conditions (e.g., contract) that applies when consumers opt-in to use the prepaid debit option with their Ventra Chicago card. In my experience, details matter with any prepaid card. Often, prepaid cards contain minimums, limits, and/or several fees (e.g., to load money onto the prepaid card, or make cash withdrawals at certain bank ATM network machines). Additional fees may apply if you use the prepaid card at a different ATM network.

In January, this blog reviewed the new AAA card. Like the coming Ventra Chicago card, AAA members can use their new AAA card as an identification card for towing services and discounts, or opt in and activate the prepaid debit option to use the card to make purchases at retail stores. The new AAA prepaid card has a $25.00 minimum to load money onto it, and a maximum monthly limit of $2,500 (or a $10,000 max with direct deposit). With the new AAA prepaid card, each month only the first ATM cash withdrawal is free, and all other ATM withdrawals cost $2.00 each. And, you have to use it at American Express network ATM machines.

I wanted to see if there were similar conditions with the new Ventra Chicago card, but the website didn't say. This is the type of information informed consumers look for, since there are legal differences and rights consumers have with prepaid cards compared to both credit- and debit cards. Informed consumers want to know their rights and specific rules, especially about replacing the funds on lost/stolen Ventra cards. Hopefully, CTA officials will update the Ventra Chicago website soon with the appropriate detailed information, so Chicago-area consumers can make informed choices.

I visited the BBB website to see if its rating of Money Network had changed since last month. It had and is now rated B+:

You don't need to be a rock scientist to see that the Ventra Chicago business model is one that can be replicated with public transit systems in other cities across the country. As each system makes decisions about the payment methods they will use, transparency is critical. It is important for transit systems to provide consumers with as much choice, freedom, and privacy as possible with payment options, while minimizing fees and surcharges.

What else is going on here? As I see it, several things. First, banks are trying to capture more customers by targeting both consumers who don't have a bank account (called the "unbanked" in industry jargon), and consumers have a single bank account (e.g., checking or a savings but not both are called the "underbanked) with prepaid card pitches. Second, banking industry research has found that consumers who have used debit cards and were burned with multiple overdraft fees, now view prepaid cards as a way to avoid high overdraft fees. So, banks have targeted these consumers, too, with prepaid card pitches directly or through intermediaries (e.g., government, employers). These consumers often don't realize the limits, minimums, fees, and surcharges that often are included with prepaid cards.

Third, given current technologies it is fairly easy to make plastic identification cards perform the traditional functions plus act as a prepaid debit card. That's why you now see prepaid cards to receive government benefits, and with employer healthcare FSA programs. Fourth, it is no secret that banks perform huge data collection of consumers' purchases with all types of plastic in your wallet or purse: debit cards, credit cards, and prepaid cards. Banks analyze and sell your purchases with other businesses including data brokers. So, if you want privacy, keep using cash.

My advice to consumers is this: anytime a bank or company serves up a strong "convenience" pitch with a prepaid debit card, take the time to read closely the contractl details (e.g., often called the Terms and Conditions), the schedule of fees, and the privacy policy. Those documents will indicate what protections and rights you have (or don't have), and the costs. And, there are five things you should know about prepaid cards.

What is your opinion of Ventra Chicago? Of MetaBank? Of Money Network?

21 Fung Wah Buses Removed From Service After Failed Inspections

WBZ-TV, the CBS network affiliate in Boston, reported yesterday evening about the results of an investigation by both the station and the State of Massachusetts. After several bus inspections by state officials, 21 of 28 Fung Wah buses have been removed from service.

Reportedly, bus inspectors found:

"... multiple oil leaks from different parts of the engine, and nuts and bolts that weren’t secure. There were also faulty lights, a door with a broken latch and the lack of proper registration on the charter bus hired by Fung Wah... Three of those buses had cracked frames. Inspectors found they had been re-welded and the work wasn’t done properly..."

The bus company had hired charter buses to replace its buses that had been removed from service. The Boston Globe reported:

"The frame cracks, located in the drive axle, rear axle, engine cradle, and other locations, posed serious safety issues, said Ann Berwick, chairwoman of the utilities department."

State inspectors are so concerned, they have asked the Federal government to suspend Fung Wah's operating license until repairs have been made. The Massachusetts Department of Public Utilities (DPU) oversees transportation and public safety.

Fung Wah operates low-cost passenger bus service between Boston and New York City. Some ticket prices are as low as $15 each way. A check of the company's website did not find any mentions of the failed bus inspections.

[Update, 3:15 pm EST: the U.S. Department of Transportation has ordered Fung Wah to cease passenger operations until safety concerns are addressed.]

17 Privacy Groups Tell US To Stop Lobbying The European Union As It Considers Stronger Privacy Protections For Consumers

Yesterday, about 18 privacy advocacy groups sent a letter to U.S. Government officials which asked for a meeting and requested assurances that the U.S. not hinder new consumer privacy protections being considered by the Europe Union. The group believes that both the U.S. and Europe need to update and modernize their privacy protections for consumers.

The letter, addressed to the U.S. Attorney General, the Secretary of State, the Acting Secretary of Commerce, and two ambassadors who oversee trade with Europe, was signed by the ACLU, the Center For Digital Democracy, the Electronic Privacy Information Center (EPIC), the Patient Privacy Rights Foundation (PPR), the Privacy Rights Clearinghouse, and a dozen other advocacy organizations. The letter (Adobe PDF, 67k bytes) stated:

"Users around the world are experiencing increases in identity theft, security breaches, government surveillance, and secretive, discriminatory profiling. Users find that personal information given for one purpose is often used for another purpose, often without their knowledge or consent. Our personal data -­‐ our privacy -­‐ is being abused by both the commercial sector and governments... Europeans are working together to update and modernize their framework for privacy protection... There are many important, innovative proposals, as well as the recognition that the process of data protection can be simplified to the benefit of all. Europe is considering both an overarching Data Protection Regulation and a Directive on Law Enforcement..."

After a meeting in Brussels with several of the privacy groups, European Parliament members expressed concerns:

"... that both the US Government and US industry are mounting an unprecedented lobbying campaign to limit the protections that European law would provide... They were concerned about the absence of safeguards for personal data stored in the Cloud..."

The Telegraph reported in February 2012 about the intensive lobbyingby U.S. companies. Reportedly, U.S. lobbyists represent several tech companies including Google, Facebook, and Apple. Earlier this month, a leading privacy expert warned citizens in Europe not to use U.S.-based cloud services due to privacy and spying concerns with the FISA Amendments Act of 2008.

As I see it, the privacy letter accurately described the threats to consumers' information and privacy. This blog has reported about numerous instances of corporate data breaches, mobile apps that collected consumers' sensitive data without notice nor consent, developers that fail to provide privacy policies with their mobile apps, app developers that failed to provide privacy notices for parents about apps for their children, secret tracking of online users, software foisted on users without notice during maintenance updates, and a variety of technologies (e.g., Zombie HTTP cookies, Flash cookies, Zombie E-tags, behavioral exchanges, deep packet inspection, e-readers) used by a variety of companies to snoop and track users' online habits often without notice and consent.

More recently, a company has allegedly collected, stored, shared, and manipulated the metadata associated with photos and videos shared at social networking websites. Data privacy laws clearly have not kept pace with Internet and digital technologies.

The group's letter stated several principles in the proposed EU laws that should guide privacy efforts in both the U.S. and Europe:

"... (1) individual control over the collection and use of personal data; (2) transparency; (3) respect for the context in which data is collected; (4) security; (5) access and correction rights for consumers; (6) data limitation; and (7) accountability... These principles reflect many of the same goals contained in the European privacy initiative. But the key is that these principles must be given legal force..."

A copy of the letter is also available here (Adobe PDF, 67k bytes). Visit the CPDP website to learn more about the meeting held in Brussels last month.

6 States Now Ban Employers From Snooping On Your Social Networking Accounts

NBC News reported on Tuesday that six states now have laws making it illegal for employers to request login credentials (e.g., ID and password) to your social networking accounts. The states include California, Delaware, Illinois, Maryland, Michigan, and New Jersey.

The laws in California and Illinois went into effect on January 1, 2013. In the Spring of 2012, Maryland was the first state to ban employers from accessing consumers' social networking accounts.

Congratulations to lawmakers in these states for passing sensible legislation. If you live in a state doesn't have such a law, contact your elected officials today and demand action.

California AG Files Lawsuit Against Delta Airlines For Mobile App

Earlier this month, the California Attorney General (AG) announced a lawsuit against Delta Airlines regarding the company's mobile app for failing to comply with the state's Online Privacy Protection Act:

"The complaint alleges that since at least 2010, Delta has operated a mobile app called “Fly Delta” for use on smartphones and other electronic devices. The Fly Delta app may be used to check-in online for an airplane flight, view reservations for air travel, rebook cancelled or missed flights, pay for checked baggage, track checked baggage, access a user’s frequent flyer account, take photographs, and even save a user’s geo-location. Despite collecting substantial personally identifiable information such as a user’s full name, telephone number, email address, frequent flyer account number and pin code, photographs, and geo-location, the Fly Delta application does not have a privacy policy."

In November of this year, the California Attorney General's office notified several mobilde device app developers that their apps were in violation of the state's privacy law. The consequences for a non-compliant app includes $2,500 for each violation.

California AG Issues Safety Tips For Consumers For Shopping During The Holidays

The California Attorney General (AG) issued these safety tips for consumers to securely shop online:

"1. Shop on secure websites. One clue about which websites are safe and which are not is to look for a yellow padlock in the browser bar or ‘https’ in the web address (the ‘s’ stands for ‘secure’).

2. Don’t make purchases over a free Wi-Fi hotspot like at a coffee shop, which can be scanned by those looking to capture your passwords and other information.

3. Never send personal or financial information through e-mail. Legitimate companies will not ask you to do so because it is not a secure way to transfer sensitive information.

4. If you are receiving text messages on your cell phone saying you have won a prize or gift card, do not click on the link in the message – it is most likely a scam and may install a virus on your phone.

5. To get the full value of a gift card, use it right away. Gift cards that are lost or stolen are not always replaceable. Retailer or restaurant gift cards do not have expiration dates, but bank cards, like Visa or MasterCard gift cards, or cards issued by a mall that can be used at different stores, may sometimes have expiration dates.

6. Know the return policies of the retailers you shop with before you leave the store or conclude an online transaction. Many retailers will give you a refund if you have a receipt and your return is prompt, but some may only give store credit. Ask a clerk if the policy is not posted at the register."

This list is good advice year-round, not just during the holidays. To this list, I would add:

• Treat your smart phone like the handheld computer that it is and install the appropriate anti-virus app
• Know the differences between the three types of plastic in your wallet or purse
• If you are a consumer without a bank account, get all of the facts before moving your money to a prepaid card (or payroll card). Even better: consider a new bank account at a credit union
• Read both the privacy and terms and conditions policies before installing any new apps on your smart phone or tablet. Don't install apps that lack these policies
• If you are a parent giving a smart phone or tablet as a Christmas gift, learn about and teach your children safe mobile device usage and shopping habits

Boston Police Department Safety Alert About Door-To-Door Sales People

The following alert appeared on November 20, 2012 in the Boston Police Department (BPD) community blog:

"The Boston Police is receiving reports about a door-to-door sales person claiming to work for and represent a company called: Just Energy. At present, the group is allegedly soliciting business in the area of Newcastle Road in Brighton. The Boston Police Department is investigating the authenticity of the group..."

Readers of this blog are familiar with Just Energy. It is a valid company and you can browse its website or Better Business Bureau rating. In the above BPD alert, it seems that a criminal may be posing as a Just Energy representative. The BPD advises consumers to follow these safety tips should you encounter any door-to-door salesperson:

"1. Never open your door automatically to anyone without inquiring as to who it is and what they want.

2. If possible, use a ‘peep hole’ or window to see or identify any person knocking on your door or ringing your door bell.

3. When dealing with a person who shows up at your door unannounced or without prior notification (be it a cable provider, maintenance worker, plumber, salesperson) exercise healthy levels of caution and care before agreeing to anything. If a person shows up at your door without proper notification, promptly ask to see an ID, business card or supervisor’s phone number before conducting any further business. If an individual is unable to provide any of the aforementioned forms of identification, discontinue the interaction."

Data Breach At Nationwide Insurance Affects More Than 28,000 Consumers In Georgia

On Monday, the State of Georgia Insurance Commissioner (GADOI) confirmed a data breach at Nationwide Insurance. Hackers gained unauthorized access to private and sensitive information at the company's online computers.

The announcement contained few details. It did not list the specific personal data elements stolen or exposed, nor explain how the breach happened and what the insurance company is doing so this breach won't happen again.

About 28,467 Georgia residents and policyholders were affected. The insurance company has agreed to:

• Provide the GADOI with copies of written breach notices sent to affected consumers,
• Set up a toll-free phone number (800-760-1125) for breach victims to ask questions, and
• Provide breach victims with at least one year of free credit monitoring services

Some news sources reported that the F.B.I. is investigating the breach. Another news source reported that names, birth dates, drivers license numbers, and marital statuses were stolen. Given the personal data elements stolen, the hackers can do damage.

This is not the first data breach at Nationwide. A check of the breach database at Privacy Rights Clearinghouse found that the insurance company had two small breaches (Florida and New York) during 2007 where laptops containing sensitive personal information were stolen from employee's cars. In 2006, Nationwide was one of severalinsurers affected by a lockbox theft at Concentra Preferred Systems in Ohio.

The insurance company has not disclosed the number of affected consumers in other states. More details will emerge and the number of breach victims will most likely increase since several states require notice of data breaches.

Safe Shopping Tips For 'Black Friday' And The Holidays

You have probably read or heard about it in either the print, television, or radio advertisements. Many retailers will open early Thanksgiving day night to start the long weekend of shopping including what many refer to as "Black Friday." If you plan to shop, know your rights and shopping tips so you don't get "mugged" by excessive fees.

To help consumers, the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) has developed a holiday shopping guide that explains consumers' rights, the actions retailers are allowed, and shopping tips for the best experience. For example:

"Sale: For the term "sale" to be used in an ad when the actual savings are not stated, the law requires the savings to be at least 10% for items regularly priced $200 or less, and at least 5% for items over $200."

"Restocking Fee: This is a charge deducted from the purchase price when an item is returned, resulting in a partial refund. Sellers must disclose their return policies, including restocking fees, before the initial transaction is completed."

"Layaway: A plan that allows you to pay for a product in installments and receive the merchandise after you have paid in full. A store must fully disclose its policy on layaway plans, including cancellation and return (or non-return) of payments already made."

"Know the seller: Purchasing from a seller you know and trust is the best way to ensure an excellent shopping experience. For unknown web-sites, use an online store review service such as Epinions, BizRate, the Better Business Bureau..."

"Shop smart with a Smartphone: Smartphones allow consumers to keep track of deals, navigate between stores, and compare prices. Check out apps such as Consumer Reports Mobile Shopper and Google Shopper..."

To read the full list of right and tips for consumers, download the "Black Friday Shoppers Guide" (Adobe PDF) or this mobile-friendly version of the same report. Rules for retailers in other states may vary. Check with the consumer affairs agency in your state.

Related posts:

• California Attorney General Notifies Developers Of Mobile Apps In Violation Of State Privacy Laws
• How To Lock Down Your iOS Mobile Device
• Survey: How Mobile Device Users Protect Their Privacy With Mobile Apps
• 5 Things You SHould Know About Prepaid Cards
• Will A Credit Card Or A Debit Card Protect You Better From Fraud?

Mintz Levin Updates Its Listing of States Data Breach Notification Laws

Recently, Mintz Levin updated its listing of states data breach notification laws. The listing, often referred to as the "Mintz Matrix" (Adobe PDF), summarizes the data breach notification laws for 46 states, plus the District of Colombia, the U.S. Virgin Islands, and Puerto Rico.

Within the past few months, the states of Texas and Connecticut have amended their breach notification laws. Alabama, Kentucky, New Mexico and South Dakota do not have any laws about data breach notifications.

Breach notification laws typically describe the kinds of data elements (e.g., Social Security number) that comprise consumers' sensitive personal information, the format (e.g., paper, electronic) of information covered by the laws, the types of information that must be encrypted, the types of businesses and government entities covered by the state's law, and both the time period and methods by which notification must be provided to consumers affected by the data breach.

Mintz Levin is a law firm focusing upon general business, intellectual property, biotechnology, litigation, telecommunications, regulatory issues, and financial planning. Earlier this month, former Massachusetts Governor William F. Weld joined the firm.

South Carolina Officials Say 657,000 Businesses Also Affected By Data Breach

The South Carolina data breach that affected 3.6 million consumers is more extensive than originally announced. On Wednesday October 31, state updated their breach announcement with 657,000 businesses also affected. The update also included 620,000 phone calls to Experian by consumers seeking breach information, and about 418,000 consumers have signed up for one year of free Experian ProtectMyID service.

The State also expanded the assistance it is providing both businesses and individuals affected by the breach. Starting today, Friday, South Carolina offers for free to businesses that have filed a state tax return since 1998 the CreditAlert services from Dun & Bradstreet Credibility Corporation. CreditAlert will notify business customers of changes to their business credit file, such as a business address change, or a company officer change. Business owners can visit www.dandb.com/sc/ or call CreditAlert customer service toll free at 1-800-279-9881.

The state is also offering to affected South Carolina businesses the Business Credit Advantage from Experian, which provides unlimited access to a company’s business credit report and score. Interested businesses can sign up for Business Credit Advantage at www.smartbusinessreports.com/SouthCarolina. Businesseshave until December 1, 2012 to sign up.

The state also announced expanded assistance for individuals. Free fraud resolution services are extended past one year, and individuals with children can sign up for the "Family Secure Plan" to protect the Social Security numbers and sensitive personal information of minors and children also exposed/stolen during the data breach. Consumers have until January 31, 2013 to sign up.

The fact that businesses were also found to have been impacted by the breach, suggests that the breach inivestigaton is ongoing: determining the entitites affected, the data elements stolen, and how the unauthorized access and theft was performed technically. As reported by The State:

"Like other S.C. taxpayers, state businesses will be able to get free credit monitoring. But companies will get longer coverage. Businesses that have filed state taxes since 1998 can sign up for lifetime record monitoring from Experian starting [Thursday] and Dun & Bradstreet starting Friday. Consumers can get one year of monitoring and insurance from Experian, paid for by the state."

Why the longer coverage for businesses? The threat to both from identity criminals does not magically end after one year. Of course, businesses have more money, on average, than individuals. I look forward to hearing more from the state about why they chose to give businesses longer coverage for free. It suggests that the state has not finished improving its data security methods and systems.

If you are new to the issue of identity theft and fraud, then the alert services and credit monitoring service will likely help you get started and learn how to protect your sensitive personal information. However, it won't stop all identity fraud, so the value is in the fraud resolution services.

Are you a South Carolina resident or business owner? We'd like to hear about your experiences with the ProtectMyID, CreditAlert, or Business Credit Advantage services.

California Attorney General Notifies Developers Of Mobile Apps In Violation Of State Privacy Laws

Earlier this week, the State Of California Attorney General (AG), Kamala Harris, announced that her office had begun notifying mobile device app developers that were in violation of state privacy laws:

"The companies were given 30 days to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information. Letters will be sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms."

Last week, the California AG had notified United Airlines about its mobile app. Other companies warned include Delta Air Lines and OpenTable Inc..

The letters are part of enforcement of the California Online Privacy Protection Act, which requires operators of online services (e.g., mobile device apps and apps at social networking sites) that collect personally identifiable information from California residents to conspicuously post a privacy policy. Operators not in compliance face fines of up to $2,500 for each download of a non-compliant app.

Reportedly, non-compliant app developers and app store operators could also be prosecuted under the California Unfair Competition Law and/or False Advertising Law, with fines up to $500,000 per use of a non-compliant app.

This should not be a surprise, given the law and given the February 2012 global agreement between the California AG and several technology companies -- Amazon, Apple, Google, Hewlett-Packard, Microsoft, Amazon, and Research In Motion -- to require mobile app developers to post privacy policies.

This is really good news for consumers who have become increasingly reliant upon mobile devices. Past studies have documented sporadic and poor access to privacy policies by mobile device apps both before and after installation. Once again, California leads the way in protections for consumers.

Massive Data Breach In South Carolina Affects 3.6 Million Consumers

With all of the news and focus on hurricane Sandy, you may have missed this news item. On Friday October 26, the South Carolina Department of Revenue (DOR) announced a data breach where a hacker accessed and stole information affecting 3.6 million consumers, or about 77% of the state's population. The breach victims include consumers who have filed a state tax return since 1998.

The data stolen included 3.6 million Social Security numbers, and 387,000 debit- and credit-card numbers. All except 16,000 credit card numbers were encrypted. None of the Social Security numbers were encrypted.

On October 10, the state's Division of Information Technology informed the DOR of a "potential cyber attack." With the recommendation of law enforcement, the DOR contracted with Mandiant, an information security company, to help with the breach investigation, secure the computer system, and install new equipment and software for stronger protections.

On October 16, breach investigators discovered two breaches during September and one during August. On October 20, weaknesses in the state's computer systems were closed. The state has arranged for one year of free credit monitoring and fraud resolution services with Experian ProtectMyID. Affected consumers should contact ProtectMyID online or via phone (1- 866-578-5422) to see if there personal information was stolen.

By Monday October 29, about 455,000 consumers had called Experian, and about 154,000 had signed up for the ProtectMyID service. However, there have been problems and criticism of the state's response to the data breach. The complaints by consumers trying to call Experian (to see if their information was stolen) included busy phone signals, recordings, no answer, and long waits on hold.

Callers who got through successfully to Experian received a code so they could sign up online for ProtectMyID. At a Monday October 29 press conference, South Carolina Governor Nikki Haley announced the code so breach victims could sign up online for the ProtectMyID service.

If you were affected by the South Carolina data breach, please share your opinions about the state's response or the ProtectMyID service.

California AG Asks United Airlines To Provide A Privacy Policy With Its Mobile Device App

Recently, Kamala Harris, the Attorney General for the State of California, posted the following on her Twitter feed:

"@KamalaHarris Fabulous app, @United Airlines, but where is your app’s #privacy policy? http://1.usa.gov/SWGCTm"

A quick scan of United Airline's twitter feed did not find a reply by the airline to the AG's request. Harris' request refers to a 2004 law in California requiring website operators that collect consumers' personal information to post a privacy policy on its website. While that law predates mobile device apps, Harris' request highlights an important privacy and data security situation. Prior studies have documented privacy abuses by mobile device apps, and either lacking or sporadic access to apps' privacy policies both before and after a user installs an app.

Of course, a privacy policy won't prevent a data breach nor prevent abuse of consumers' sensitive personal information, but it is an important disclosure tool, like food labels, to help consumers:

• Understand what data is collected, archived, and shared with other companies by a product or service,
• Utilize any opt-out or opt-in service settings,
• Begin to evaluate whether or not a company complies with its own privacy policy, and
• Compare data security offerings between competitive products or services

One could argue that given the privacy abuses, privacy policies are even more important for mobile device users. With a traditional desktop or laptop device, there is usually to parties involved: the consumer and the website he/she is visiting. With mobile devices, there are more parties involved: the mobile device manufacturer, the mobile device operating system developer, the app developer, the telecommunications provider, and the app store. It's critical for consumers to know which party's privacy policy applies; and an opportunity to streamline,, consolidate, and reduce the number of privacy policies.

Now that Harris has highlighted the issue, it is an opportunity for the california legislature to amend its state's laws to include apps; and for legislatures in other states to do the same.

What's your opinion of Harris' request? What's your view of privacy policies for mobile device apps?

Massive Data Breach At TD Bank Affects 260,000 Consumers

Several news outlets have reported about a massive data breach at TD Bank, affecting about 260,000 persons from Maine to Florida. The affected consumers include 35,000 in Maine, 3,000 in Florida, 73,000 in Massachusetts, and 43,000 in New Hampshire. According to the CBS affiliate in Philadelphia, most breach victims -- about 150,000 -- are in states in the New England region of the USA.

The bank is notifying affected customers via letters. In a breach notice sent to the New Hampshire Attorney General (Adobe PDF), the bank said:

"We have determined that personal information of New Hampshire residents was included on two data backup tapes that we shipped to one of our locations in late March 2012. The tapes have been missing since then, and we have been unable to locate them..."

The sensitive personal information exposed/stolen includes full names, addresses, Social Security numbers, bank account numbers, birth dates, and driver's license numbers. The bank is offering breach victims with one year of free credit monitoring services via ITAC Sentinel Plus.

In a statement, Martha Coakley, the Massachusetts Attorney General, said:

"The loss of these tapes potentially puts the personal information of thousands of Massachusetts consumers at risk, and we remind consumers to take appropriate steps to protect themselves... We will be reviewing the circumstances of this breach and the steps that TD Bank is taking to address the loss.”

A close review of the bank seems appropriate, since banks are not supposed to lose things, since they are entrusted with valuable items. And, this is not the bank's first data breach:*

• March 2011: "insider identity theft" involving an employee that sold the account information of about about 10 customers causing about $39,000 in fraudulent charges 
• March 2010: a fraud ring, using a former employee, stole and sold the account information of customers to accomplices who then stole about $200,000 from bank accounts

This breach sounds similar to what I experienced in 2007 with IBM, where computer data tapes were lost or stolen during shipment from its headquarters fo an off-site storage facility. That breach sounded like theft, as does the recent TD Bank breach. Vendors don't just accidentally lose computer tapes. Misplace them, perhaps. Lose, no.

Things I noticed in the TD Bank breach notice to its affected customers lacked:

• If a vendor or contractor was involved with transporting the missing/stolen computer data tapes, the corrective actions the bank is taking with this vendor to avoid a repeat of this breach
• If an employee was involved with transporting the missing/stolen computer data tapes, the internal employee training and data security methods is taking to avoid a repeat of this breach. Sadly, there are numerous breaches where company employees left data tapes unsecured in parked autos.
• Notice about how results of its breach investigaton will be communicated to breach victims
• Whether or not the data on the tapes was encrypted; and if it wasn't encrypted why not
• An explanation of why only 12 months of free credit monitoring, when the usability of stolen personal information is far longer

*Note: breach history from Privacy Rights Clearinghouse.

States' Attorney Generals Urge Congress To Reject Payday Lender Bill

On Friday, several states' Attorney Generals announced that they had sent a letter to Congressional leaders urging them to oppose HR 6139, known as the Consumer Credit, Access, Innovation, and Modernization Act. The letter read in part:

"Most states have enacted laws and rules to regulate short term lending, including payday loans. Many of these states have chosen to strike a regulatory balance that preserves access to alternative forms of credit while protecting consumers from repeated debt cycles and other pitfalls associated with such products. H.R. 6139 would turn back existing consumer protections... H.R. 6139 would give nonbank financial services providers – including payday lenders, installment lenders, car-title lenders, prepaid-card issuers, check cashers, and others – access to a federal charter issued by the Office of the Comptroller of the Currency. The bill would totally preempt state licensing laws for nonbank financial services providers... In place of state safeguards, the bill would establish only minimal consumer protections... the bill establishes no standards for determining a consumer’s ability to repay. Moreover, the bill would exempt loans with terms of one year or less from the disclosure requirements of the Truth in Lending Act – the universal standard for measuring the true cost of credit – and substitute a cost metric that is confusing and misleading..."

The letter was sent on Friday October 5, 2012 to House Speaker John Boehner, House Minority Leader Nancy Pelosi, Senate Majority Leader Harry Reid, and Senate Minority Leader Mitch McConnell. 41 states' Attorney Generals signed the letter, including Guam and Puerto Rico.

In Congressional testimony during July 2012, the Office of the Comptroller of the Currency (OCC) stated its concerns:

"The effective result of H.R. 6139 would be to create a class of federally chartered companies (National Consumer Credit Corporations, hereinafter referred to as “NCCCs” or “companies”) focused on consumer credit products of the very nature and character that the OCC has found unacceptable based on consumer protection and safety and soundness concerns. In particular, it is our experience that the profitability of many of the types of small dollar, short-term loans that NCCCs would likely seek to offer is dependent on effectively trapping consumers into a cycle of repeat credit transactions, high fees, and unsustainable debt... The bill will result in a decrease in protections for categories of consumers that may be the most vulnerable. We have ample evidence from the recent financial crisis that the goal of enhanced access to financial products and services must be coupled with assurances that those consumers are subject to meaningful consumer protections and that the firms offering those products and services must do so on a prudent, safe, and sound basis. In this regard, the Consumer Financial Protection Bureau (CFPB) has been provided the authority to issue rigorous, uniform, and nationally-applicable consumer protection standards for financial products and services. It is important that the types of products envisioned for NCCCs not be carved out of coverage of CFPB-administered lending standards..."

There are plenty of examples of this cycle of repeat credit transactions, high fees, and unsustainable debt. In February 2009, CBS News reported about the payday lending industry:

"They've now grown into a $59 billion industry. But six states - Arkansas, Georgia, New Hampshire, North Carolina, Ohio and Oregon as well as the District of Columbia - have now effectively banned these loans... there are 24,000 payday lending stores in America - more than Starbucks and McDonald's combined. They provide 19 million American households a quick way to make ends meet... A typical customer takes out about eight payday loans a year..."

CBS News reported in April 2009:

"The payday loan industry, threatened by Congress with extinction, has deployed well-connected lobbyists and hefty sums of campaign cash to key lawmakers to save itself. The strategy has paid off."

This 2011 news report explained how many layday lenders charge unbelievably high interest rates. Last month, the City of San Francisco negotiated a settlement with payday lender Money Mart (a/k/a Loan Mart), which agreed to pay to $7.5 million to reimburse consumers for alleged illegal lending activities and interest rates as high as 400 percent. Consumers eligible to receive reimbursements may receive payments ranging from $20 to $1,800.

The letter caught my interest for three reasons. First, it seems to avoid unnecessarily the CFPB. Second, it mentioned prepaid-card issuers, which this blog has covered extensively. Banks and non-bank prepaid-card issuers have targeted the same market as payday lenders: consumers who have a checking or savings account and not both (e.g., underbanked), or who have neither (e.g., unbanked). About 8 percent of U.S. households are unbanked, and 20 percent are underbanked. Unbanked and underbanked households are typically non-Asian minorities, low-income, young, and unemployed.

Third, anytime a proposed Congressional bill mentions both "modernization" and financial services, a closer inspection is usually wise. (The Graham-Leach Bliley Act, which repealed Glass-Steagall comes to my mind.) Things often get modernized for some, not for others who really needed it, and there are always unintended consequences. One of the OCC's concerns is money-laundering, which is connected to a host of other global ills. Legislation that creates a new class of financial institutions needs to be well constructed, closely reviewed, an adequately discussed publicly.

The Attorney Generals' letter to Congress is available at the Illinois Attorney General website (Adobe PDF). Download H.R. 6139 (Adobe PDF) and see page 24, lines 3 through 8. That's a deal breaker. And, I suggest that you read the full testimony about H.R. 6139 by the OCC Deputy Comptroller of Compliance Policy (Adobe PDF).

Anthem Blue Cross Settles With California Attorney General Over Data Breach

Everyone who is security conscious knows that a business should never printer consumers' Social Security numbers on health care identification cards, statements, and letters. Doing so facilitates identity theft, fraud, and medical identity theft -- a big help for identity thieves.

Yesterday, the California Attorney General announced both a lawsuit and settlement involving Blue Cross of California, which operates under the name Anthem Blue Cross. The lawsuit, filed in Los Angeles Superior Court today along with the settlement, alleged that Anthem printed Social Security numbers on letters it mailed to more than 33,000 from April 2011 and March 2012. The lawsuit claimed that this violate state law prohibiting the disclosure of Social Security numbers. After the breach, Anthem offered those subscribers one year of free credit monitoring.

This blog has discussed repeatedly how the risk of identity theft doesn't end after a year or two - typically the period businesses offer breach victims free credit monitoring services. Identity criminals will use stolen credentials until they know the credentials are no longer usable.

Terms of the settlement include a $150,000 payment and:

"... requires Anthem to implement new technical safeguards for its data management system, restrict employee access to members’ Social Security numbers and provide enhanced data security training for all of its associates."

The fine seems light since this is not the first breach involving Anthem. A breach of the company's website in June 2010 affected about 470,000 subscribers nationwide.

New Data Breach Law In Connecticut Begins October 1

A new data breach law goes into effect in Connecticut on October 1. The Connecticut Attorney General office announced:

"Connecticut law generally requires anyone who conducts business in Connecticut and who – in the ordinary course of business – owns, licenses or maintains computerized data that includes personal information to disclose a security breach without unreasonable delay to state residents whose personal information is believed to have been compromised. Failure to provide such notice could be considered a violation of the Connecticut Unfair Trade Practices Act (CUTPA)."

The new law includes an email address for companies to report breaches directly to the Connecticut AG office. Previously, companies were required to notify only consumers affected by data breaches. Now, companies must notify both breach victims and the state.