South Shore Hospital To Pay $750,000 In 2010 Breach Settlement

Yesterday, South Shore Hospital and the Massachusetts Attorney General's Office both announced a settlement agreement regarding the hospital's 2010 data breach. the breach exposed the sensitive personal and medical information of 800,000 current and former patients, plus patients at Harbor Medical Associates and South Shore Physician Hospital Organization.

In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes to an off-site vendor, Archive Data Solutions, for erasure. The boxes contained the records of 800,000 patients. According to AAG Coakley's office, the hospital failed to inform Archive Data that boxes contained sensitive personal protected health information. Nor did the hospital determine whether Archive Data had sufficient data security methods to protect this sensitive information.

In June 2010, the hospital learned that only one of the boxes, shipped via several companies, arrived at its destination in Texas. The missing boxes have not been recovered. In a statement, AG Coakley emphasized:

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form... It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

According to terms of the settlement approved in Suffolk Superior Court, the hospital will pay a $750,000 fine which includes a $250,000 penalty and $225,000 for a data security education fund. The Massachusetts Attorney General's office will use the education fund to:

"... promote education concerning the protection of personal information and protected health information."

The payment is also reduced by $275,000 for expenses the hospital has already made for data security improvements. The HIPAA Privacy Rule specifies which health care organizations must comply with certain data security standards. the rule also defines what "protected health information" is: personally identifiable health care information in any format (e.g., print, electronic).

Data Breach At Choice Hotels

Since I started this blog almost five years ago, I've written about a variety of data breaches, where sensitive customer and employee information was stolen. Sometimes, the breach involved hackers breaking into a company's website server. Often, it included the theft of a laptop computer or flash drive left in an employee's parked car. Sometimes, it was "insider identity theft" by an employee or contractor. This latest breach involved a method I hadn't heard before.

About April 25, 2012, Choice Hotels notified the appropriate state agencies in both California and New Hampshire of a data breach affecting residents in those states. According to the breach letter submitted by the company, sensitive customer information (e.g., credit card numbers, drivers license numbers, passport numbers, Social Security numbers) were not entered into the proper database fields in the company's customer systems. As a result, this sensitive data wasn't protected (e.g., encrypted), and was passed along to the company's marketing partners where the sensitive data was inadvertently printed on marketing envelopes mailed to customers.

Choice Hotels claims that less than 0.001 percent of guest stays were affected. The breach was discovered in December 2011, and the company immediately stopped using the database for markeing purposes. The company hired Kroll Advisory Solutions to investigate the problem with a "forensic analysis." About 59 New Hampshire residents were affected and have already been notified.

The company's breach notice did not identify the company's marketing partners. Its website Privacy and Security Policy states that:

"If you reside in California and have provided Choice your personally identifiable information, you may request a list from us of third parties with whom we shared your personally identifiable information for their own direct marketing purposes during the preceding calendar year..."

Choice Hotels operates several lodging brands including Clarion, Comfort Inn, EconoLodge, MainStay Suites, and Rodeway Inn. A copy of the breach notice is available at the New Hampshire Department of Justice website and here (Adobe PDF; 154k bytes). The California Attorney General website also includes a copy of the breach letter sent to affected consumers. The company has reportedly contracted with TransUnion Interactive for for free credit monitoring services for breach victims.

Report Analyzes Breach Notifications Affecting Massachusetts Residents

Last week, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) released its findings from an analysis of four years of data breach notifications reported to the state. A chief finding was that sensitive data often was not encrypted.

Any businesses or entities storing consumers' personal information has been required since Oct. 31, 2007 to report data breaches to the OCABR. Through September 30, 2011, the OCABR received 1,833 breach notices affecting about 3.2 mikllion people, or an average breach size of 1,727 stolen or lost records. 73% (1,336) of the breaches involved electronic files and affected 97% of breach victims.

The financial services industry reported the most breaches (955) during the last four years, affecting 901,156 people. Most of these breaches were the credit- and debit-card transactions at processing centers and retail stores. The health care industry has had fewer breaches (214), but affected far more people ( 983,746), including the South Shore Hospital breach in 2010.

In March 2010, new laws went into effect requiring entities that store, own, or license personal information about Massachusetts residents to develop, implement, and maintain a comprehensive written information security program (WISP) describing how it will protect sensitive information. the new law required entities to encrypt sensitive information if it is transmitted over public networks, the Internet, or carried on portable devices.

The of breaches each year have remained pretty steady, ranging from a low of about 415 to a high of about 470. Other findings:

"... stolen or lost portable electronic devices are most often not secure. Of the 365 devices reported lost or stolen, only 13 were encrypted. The lost devices led to exposure for 409,572 people. By contrast, the 27 encrypted machines kept information secure for 24,269 people... of the 75 lost or misplaced portable devices reported; only one was encrypted, compromising 1.2 million pieces of information. Of the 290 stolen portable devices stolen, 12 were encrypted, protecting 4,110 pieces of information. The 277 unencrypted devices exposed 220,000 pieces of information."

The types of devices lost/stolen included desktop computers and computer tapes. The types of portable devices lost or stolen included laptop computers, thumb drives, and storage discs (CDs). The report concluded:

"If all portable devices were encrypted from 2007 to 2011, the number of residents whose personal information was compromised would be remarkably lower by 47 % or 1,490,308 people. If all portable devices were encrypted from march 1, 2010 the number of compromised residents would have decreased by 29 percent or 909,992 people... compliance with the encryption requirement is a powerful to to safeguard the personal information of millions of residents"

Download the OCABR data breach report (Adobe PDF, 948K bytes).

SAIC To Pay $500.4 Million to Settle Suit With U.S. Attorney And City of New York

Last month, Science Applications International Corporation (SAIC) announced a settlement with the U.S. Attorney Office for the Southern District in New York and with the City of New York about the company's CityTime system. Terms of the settlement require SAIC to pay $500.4 million in restitution and penalties, and an independent monitor selected by the U.S. Attorney's Office will review certain policies and practices by SAIC for three years.

CityTime is an automated workforce management system used by about 163,000 New York City employees in 65 agencies. According to a press release (Adobe PDF) by the U.S. Attorney's Office:

"Under the agreement, SAIC will forfeit a total of $500,392,977 to the Department of Justice, and forgive more than $40 million still owed by the City to SAIC in connection with the CityTime project. In a Statement of Responsibility (the “Statement”) that was part of the agreement, SAIC acknowledged that it failed to properly investigate a 2005 ethics complaint filed by a whistleblower alleging, among other things, that the project’s Program Manager, Gerard Denault, had to be receiving kickbacks on the project from the single source subcontractor he had hired to perform the work. SAIC also accepted responsibility for the illegal conduct alleged against Denault and admitted to by Carl Bell, who served as Chief Systems Engineer in SAIC’s New York City office."

The City of New York had selected SAIC's CityTime system to modernize its timekeeping and payroll systems across City agencies. In 2000, SAIC became the lead contractor on the City's CityTime project, with a value then of approximately $73 million. The Washington Post reported recently:

"Last year, SAIC said it removed three top executives — Deborah Alderson, president of the company’s defense solutions group; John Lord, her deputy; and Peter Dube, general manager of the enterprise and mission solutions business — although the company said there was no evidence that any of the three were involved in the fraud."

SAIC, a Fortune 500 scientific, engineering and technology applications company employs about 41,000 people worldwide, and about 93% of its business is generated by government contracts. In 2011, SAIC was involved with a TRICARE data breach that exposed the sensitive personal data of 4.9 million active and retired military personnel and their families.

Utah Medicaid Breach Larger Than First Estimated

A data breach at the Utah Department of Technology Services (DTS), which operates computer servers that store Medicaid claims data for the Utah Department of Health (UDH), appears to have affected more consumers than first estimated. Late last week, the DTS reported that about 181,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients were affected. About 25,096 people of the 181k total had their Social Security numbers exposed/stolen.

Yesterday, the UDH disclosed a greater number of breach victims: an additional 255,000 additional victims had that Social Security numbers stolen, and an additional 350,000 had lesser personal information exposed/stolen. So, the total count is now 780,000 breach victims:

Medicaid claims typically include patients' names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and billing codes for medical procedures. The initial breach estimate was 24,000 records exposed/stolen. The breach investigation is still ongoing. UDH disclosed in a press release:

"DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state's data is secured, but this particular server was not configured according to normal procedure. DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again..."

The UDH is notifying all breach victims via a breach letter, but with a priority of first notifying the consumers whose Social Security numbers were exposed. These breach letters offer one year of free credit monitoring services. Other breach victims will receive a slightly different notice with information about how to further protect themselves. People with online access via the My Case web portal, were given breach notices both online at the web site and via e-mail.

Class Action Suit Filed Against Path Claims More Data Was Collected Besides Address Books

A second class-action lawsuit was filed against Path Inc. claiming the company's mobile app collected more infromation than just users' address books. The suit also calimed that users of the Path app were:

"... victims of unfair, deceptive, and unlawful business practices; wherein their property, privacy, and security rights were violated..."

The additional data allegedly collected without notice and without consent included find GPS locations, users' personally identifiable information, and the personal information of minor children.

The suit claims that the information collected was distributed to other companies with notice or consent, and that tracking methods were added to users digital information:

"Affix to Plaintiff's and Class members' digital content, referencing photos, videos, and audio files, without notice or authorization tracking mechanisms and information... "filtering" of digital content by installation of geo-tags for tracking, interception and monitoring of social network interactions... that third-party social network interactions would be monitored and then transmitted, used, disclosed, and stored on path's servers..."

The suit claims that Path stored address book information is an insecure manner. By February 2012, Path reportedly had about 2 million users.

The suit was filed in Northern District Court of California by attorneys Strange & Carpenter of Los Angeles, and Joseph Malley of Dallas. Readers of this blog recognize Malley, often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Hulu.com and KISSmetrics ("zombie E-Tags"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, Malley has plenty of experience with online privacy and tracking issues.

You can download the Hernandez et al v Path Inc. complaint from Courthouse News (Adobe PDF).

MBTA Releases Third Proposal: Smaller Fare Increases And Fewer Service Reductions

Earlier this year, the MBTA held 25 community meetings to collect feedback from the public about its two proposals; each including different amounts of fare increases, service reductions, and service eliminations. Yesterday, the MBTA release a third proposal, based upon feedback from the public, which includes smaller fare increases and fewer service changes than the first two proposals.

Highlights of the latest proposal:

• Reduces its single year deficit from $185 million to $159 million
• 23% overall fare increase
• 35% fare increase for ferry riders
• Green Line: elimination of E branch weekend service between Brigham Circle and Heath Street
• Commuter Rail: elimination of weekend service on Needham, Kingston/Plymouth, and Greenbush lines
• No reduction in RIDE service, but a $5.00 premium territory fare
• Creation of a "Watch List" for low-performing routes

While the overall, average fare increase reportedly is 23%, the actual fare increases for certain segments are greater. These increases are still painful for many residents who can least afford the increases. Single-fare increases:

• Seniors: local bus: 87.5%
• Seniors: rapid transit: 66.7%
• Student: local bus: 25.0%
• RIDE within ADA territory: 100.0%
• RID outside ADA territory: $5.00 surcharge per trip

Fare increases for selected passes:

• Senior/TAP: 40.0%
• Student 5-Day: 25.0%

Several documents describing the latest proposal are available at the MBTA.com website. The fare increases and service changes will affect everyone, not just MBTA customers. The MBTA Impact Analysis (Adobe PDF; 3.4 M Bytes) states the following about air quality and quality-of-life impacts:

"A reduction in transit trips and addition of automobile trips generally causes increases in the generation of CO, VOC, NOx, CO2, and particulates... as the numbers of automobile trips and vehicle hours increase, the congestion on area roadways also increases. This additional congestion results in lower travel speeds (which are associated with higher emissions of pollutants) for all vehicles, not just those of former transit users... Scenario 3 results in increases in all pollutant emissions and an overall worsening of air quality. VOC emissions increase by the greatest percentage, followed by CO and CO2. Scenario 3 bears out a general rule that usually applies in air quality analyses of this kind: any loss in transit ridership that results in an increase in auto vehicle-miles and vehicle-hours traveled will lead to some level of increase in pollutants."

The fare increases and service changes move the state away from sustainable solutions and towards a greater dependence upon automobiles (and petroleum), with both increased air pollutants and greenhouse gas emissions. This is the wrong direction. Commute times will increase and air quality will worsen for everyone. We cannot drive our way out of this problem.

Transportation systems in several American cities face fiscal issues similar to Boston's system. Several consumer groups are planning a national protest about mass transit for April 4, the 44th anniversary of the assassination of Dr. Martin Luther King.

Report Warns Proposed MBTA Cuts Would Hamper Boston Metro Area's Economy, Jobs And Growth

A Better City (ABC), a nonprofit transportation advocacy organization, has released a position paper about the fare increases and services cuts proposed by the MBTA. ABC analyzed both proposals by the MBTA to close a $161 million budget deficit forecast for the fiscal year beginning July 1, 2012. In its paper, ABC concluded:

"... the T should seek to close part of its budget gap with a more reasonable fare hike and limited service cuts. The T should then work with MassDOT, Massport, the Patrick administration and the legislature to address the remaining budget shortfall for FY 2013, and to begin work on a long-term, comprehensive finance plan for the Commonwealth’s entire transportation system."

The MBTA had proposed service cuts including the termination of late night and weekend commuter rail service, weekend "E" Green Line service, Mattapan Line, many bus routes, and all ferry service. About these cuts, ABC stated:

"... The T should not cut Commuter Rail service after 10pm and on weekends, nor should it cut weekend service on the E Branch of the Green Line or the Mattapan Trolley. Commuter boat service should be preserved, with a lower public subsidy and operated under the auspices of Massport. Due to the severe impact on riders, bus route service eliminations or reductions should be limited to the ten least efficient routes in the system. Going forward, the T should adopt more stringent and rational service planning criteria across all modes and commit to adjusting service accordingly."

According to ABC, everyday the Boston's population doubles as people commute to work. 55% of those work trips, and 45% of all MBTA trips, include commuting to work. The service cuts proposed by the MBTA would make it difficult for employees to get to work, employers to staff positions, patients to visit doctors and hospitals, and customers to visit entertainment venues:

"Across all sectors, ABC member businesses told us they are concerned about the impact that fare hikes and service cuts would have on their employees’ ability to get to work. Some of our members in the hospitality industry noted that the T’s current service hours are not adequate for employees working odd shifts... The viability of T service, then, has a direct impact on the size of this industry’s job shed, and particularly on the job prospects of low-skilled workers... The health care industry operates 24 hours a day, 7 days a week, and the hospitals of the Longwood Medical Area would be particularly impacted by the proposed service cuts to the Green Line E Branch and the Commuter Rail. These cuts would impact the ability not only of doctors, nurses and support staff to get to their jobs, but also of patients to make their appointments... These businesses have also deployed flexible scheduling and staggered shifts to best utilize their real estate and cope with our already-congested transportation network."

The service cuts would force more autos onto already congested roads, resulting in:

"... 55,000 and 92,000 more cars on the road daily... if there were no public transportation in the Boston area, the additional traffic congestion would cost the regional economy $663 million annually. Based on this estimate, if one-tenth of the T’s current ridership elect to abandon the T and drive their commutes... the additional congestion could cost Massachusetts $66 million a year."

Parking around the city, already a problem, would become worse as more people drive and many parking lots are replaced by office buildings:

"ABC members located in the South Boston Waterfront were particularly concerned that changes at the T would increase demand for parking at a time when large lots currently used by commuters to the Waterfront and to the Financial District are slated to be developed over the next decade. South Boston, East Boston and Downtown are all subject to Parking Freezes. The City of Cambridge also enforces a Parking and Transportation Demand Management ordinance. These policies, implemented to curb air pollution, have made both cities heavily reliant on transit to support future economic growth..."

The higher education industry would be similarly affected:

"... increased demand for parking is at odds with their plans to expand. UMass Boston is a commuter school with a 45% transit share. It’s attempting to increase that number to 60% so that it can utilize its surface parking lots for staging construction of new campus buildings. Boston University, which purchases $2.1 million in T passes for faculty, staff and students, and spends $1.6 million operating its shuttle service, is also planning to reduce its parking spaces in order to make room for new construction. T fare hikes and service cuts will make it harder for both these institutions to grow..."

The entertainment and tourism industries would be similarly affected:

"The proposed cuts to evening and weekend Commuter Rail service would have a significant impact on fans’ and patrons’ ability to get into and out of the city for games, concerts and other cultural events."

ABC suggests that the MBTA:

• Limit its fare increase to 25% and pursue smaller, more frequent increases,
• Maintain commuter rail, trolley, and ferry services,
• Cut only the "10 worst" bus lines,
• Better match resources (e.g., buses and trains) to demand

ounded in 1989 as the Artery Business Committee, A Better City is a nonprofit association representing Greater Boston’s business and institutional community on transportation, land development and environmental sustainability. Download the ABC position paper (Adobe PDF, 1.9M Bytes), which is also available here (Adobe PDF, 1.9M Bytes).

Bank Of America To Test New Fees

After consumer backlash last fall forced it to abandon plans to add fees for consumer debit card accouns, the Bank of America is now testing new fees for checking accounts in three states: Arizona, Georgia, and Massachusetts. Reportedly, the new monthly fees apply only to new accounts and range from $9 to $25 depending upon the consumer's account balance.

Meanwhile, the Massachusetts Secretary of State Galvin seeks legislation for national banks operating within the state to offer free checking accounts for young adults under 19 years of age and elders ages 65 and older. Galvin wants to prohibit these banks from holding state and local government deposits unless they offer free checking for these two groups. State-chartered banks in Massachusetts are already required by law to offer free checking to these two groups.

To learn more, visit the banking authority for your state.

National Consumer Protection Week

March 4 - 10, 2012 is national Consumer Protection Week (NCPW). About 30 federal agencies and the U.S. Federal Trade Commission (FTC), plus consumer groups, state, county, and local government agencies are participating with the goal to:

"... focus attention on the importance of consumer information and provide people with free resources explaining their rights in the marketplace."

During the week, various groups will share information and tips about how to:

• Avoid identity theft, and scams,
• Protect your privacy, and
• Manage your money

NCPW began 14 years ago. The website has materials in both English and Spanish. David Vladeck, Director of the FTC's Bureau of Consumer Protection, said:

"The information on NCPW.gov can help consumers understand their rights, protect their privacy online and off, manage credit and debt, avoid identity theft, recognize foreclosure rescue scams, and report fraud... Visitors can download and print materials to share with friends and neighbors, or use the toolkit to plan a larger community event."

To learn more, visit NCPW.gov.

Foreclosure Abuse Widespread

Last week, the San Francisco Assessor-Recorder office released the results of an audit (Adobe PDF) of about 400 home that were foreclosed on during 2009, 2010, and 2011. The audit found that about 84% of the homes had at least one violation of California foreclosure laws.

The office began the audit last Fall with Aequitas, a mortgage investigation firm, after problems surfaced in mortgage records requested by homeowners facing foreclosure. Assessor-Recorder Phil Ting said,

“When it became clear that property records were severely undermined, a red flag was raised... Those records are supposed to be filed with this office and many were simply missing or had serious inconsistencies..."

It's difficult to impossible for a homeowner to fight foreclosure when mortgage records are inaccurate or incomplete. Ting emphasized the need for state legislation to guarantee compliance with California foreclosure laws by the mortgage industry.

The register of deeds in Guildford County, North Carolina, examined 6,100 mortgage documents last year, and found signature irregularities in 4,500 (xx%). Experts see this as a clear indicator of the illegal practice of "robosigning" documents.

Seems to me it is time to both fine companies and send bankers to prison nationwide. Only then will this madness stop. Demand action from your elected officials.

Boston Transit Authority Seeks Public Feedback About Proposed Fare And Service Changes (Part Two)

A prior blog post described a local community meeting held by officials from the MBTA, Boston's transit authority, to collect feedback from the public about which of two fare and service proposals to proceed with. At that meeting, I shared my views about the situation. Earlier this week, a local community meeting drew a large protest:

I have used the “T” subways for many years to commute from home to work in Boston. While living in the Waltham suburb, I used MBTA commuter rail, express buses, and local buses to commute to work. Other mass transit systems I have used:

• While growing up and working in New York City: its MTA buses and subways,
• During college, the bus system in Rochester (NY),
• During graduate study, the elevated trains in Chicago (IL)
• While vacationing in Germany, both the high-speed intra-city rail system and the subway in Cologne,
• While temporarily working in London, its underground and bus systems, and
• While vacationing in Los Angeles, its subway system.

So, I have had plenty of experience using a variety of mass transit systems. I like using mass transit and prefer it over autos.

I read the Information Booklet (Adobe PDF) the MBTA distributed with its two proposed scenarios. I have several concerns.

First, the brochure did not mention nor address the impact upon local small businesses, jobs, and employment. Most Boston residents use the "T" system to get to work or to school. Many use it to shop a businesses within the city. The local community meeting in Dorchester highlighted the fact that many residents (e.g., students, elders and retirees) don't have cars or an alternate means of transportation. They rely on the MBTA.

The large number of service terminations (e.g., bus routes, ferries, "E" line on weekends) spell a disaster for small and local businesses in those areas, who both hire residents as employees and depend upon those residents as customers.

Commuter rail service terminations after 10 pm will likely affect businesses that operate after 10:00 pm. Not just large businesses like the TD North Garden, but numerous small businesses. At the local community meeting I attended, numerous residents shared their feedback about how bus route terminations (e.g., 101 routes in scenario #2) will affect them. Students (e.g., youth) and residents on fixed incomes -- with no alternate transportation -- will be severly affected. Secondary and higher education are huge industries in the Boston metro area. The MBTA proposals don't and should mention how these industries would be affected by the fare increases and service terminations. When service terminations force students to walk to school, there are additional safety issues.

Consumers frequent businesses they can easily and reliably get to. All of the proposed terminations make it more difficult and unreliable for MBTA users -- employees and customers -- to use the MBTA.

It seems that either the MBTA has not considered the impacts upon local businesses and jobs, or does not wish to discuss them. This is odd because the MBTA developed an impact analysis (Adobe PDF) that projected declining air quality from greater auto usage due to service terminations. This is odd because the Big Dig project considered the needs of local businesses along its construction paths:

"But the state had a new task, one that would become a feature of big infrastructure projects nationwide: “mitigation.” Broadly speaking, mitigation was the state’s promise to alleviate the Big Dig’s impact on Boston, from interrupting business to harming the environment. Mitigation eventually accounted for about one-third of the Big Dig’s cost..."

The MBTA needs to do something similar, since it is integral to the health and efficient functioning of the city.

Will students continue to apply to secondary and higher education schools in the area, or will the fare increases and service terminations negatively affect applications? It would be huge disservice if the solution to the MBTA's fiscal mess happened at the expense of the community. There has to be balance.

Second, the MBTA documents did not present utilization rates of the bus routes scheduled for termination. These facts are critical toward evaluating the service cuts. Residents cannot provide informed feedback about the MBTA's proposals without inputs about utilization, the impacts upon employment, and upon jobs.

So, the MBTA has asked the public to "choose the better option," but has not provided all relevant data for the public to make informed choices. That is unfair.

Third, the $4.5 billion debt level and fare comparisons with other cities (Adobe PDF) suggests that a fare is warranted. However, this doesn't give the MBTA a free pass on transparency. I expect the MBTA to do a better job of being transparent about efforts to wring waste out of your system. The documents provided are insufficient.

I talked with MBTA employees (who requested anonymity), and they told me clearly that:

• The MBTA rents a lot of properties it never uses or under utilizes. These properties should be sold or used to increase revenues.
• Better utilization could include options such as power generation (e.g., wind turbines installed on building rooftops) to generate revenue or lower energy costs.
• There are internal human resource programs that cost a lot and drive questionable results.
• Many highways have "aopted a highway mile" programs. The MBTA has not seemed to consider innovative solutions such as this (e.g., 'adopt a station") or similar programs.

Frankly, I don't believe that the MBTA has wrung all of the waste out of its system. Rather, the MBTA seems to take the easy route: raise revenues by raising fares on customers, many of whom are poor and can least afford the proposed fare increases.

Fourth, your proposed fare increases and service terminations seem woefully short-sighted. What about a year from now? How does this solution avoid the situation where we have to revisit your fiscal concerns in a year or two. What about a long-term focus on being environmentally conscious? The proposed solutions don't address this.

The solution for the MBTA's fiscal mess needs to better balance long-term and short-term needs, fit with the city's need to remain competitive and efficient, and fit with the public's desire to use its mass transit system in environmentally friendly ways. My bottom line: the fiscal “cure” should not be worse than the debt “disease.” The surgery should not kill the patient.

Boston Transit Authority Seeks Public Feedback About Proposed Fare And Service Changes

I live and work in Boston. Like many cities in America, Boston's mass transit system faces financial obstacles. In January, the Massachusetts Bay Transit Authority (MBTA) proposed several changes to close its projected operating deficits.

The proposed changes included two scenarios. One scenario includes larger average fare increases with fewer service cuts. the second scenario includes smaller average fare increases with many more service cuts:

	Scenario 1	Scenario 2
Fare Increase	43%	35%
LinkPass	$80	$78
Bus Services Eliminated	23 weekday routes	101 weekday routes
Services eliminated	late night & weekend commuter rail; weekend "E" line; Mattapan line; Ferry
Parking rates increase	28%	20%
Ridership impacts	34-49 million annual trips = 9 - 13%	53-64 million annual trips = 14 - 17%

The current Linkpass fare is about $59. The information brochure (Adobe PDF) about the proposed fare and service changes is available at the MBTA website. The MBTA estimates a $161 million budget deficit in fiscal year 2013. It has a $5.2 billion debt load, which equates $450 million in debt payments each year. Those debt payments equal fare revenues.

In some instances, fares would increase more than 100%. The MBTA compared its fares to transit systems in other American cities (Adobe PDF). The MBTA also prepared an impact analysis document, which concluded that the service cuts will result in poorer air quality.

To collect feedback from the public about which scenario is best, the MBTA is conducting a series of meetings around Boston and in the suburb communities it serves. I attended a Thursday, February 2 session at the Dorchester House Multi-Service Center in Boston's Dorchester community. About 250 residents attended. It was good to see a strong turnout at a midday 1:00 pm session. No apathy here!

Caption: residents speak at the February 2 MBTA meeting at the Dorchester House

An MBTA official briefly presented its public presentation about the proposed changes (Adobe PDF). Most of the two-hour meeting was reserved for residents to speak. A variety of residents spoke: working adults, teenagers, college students, elders, they physically challenged, and retirees. During the session, I saw about 50 residents speak.

A common theme voiced by residents was that the fare increases under both scenarios were steep; many couldn't afford them. Many residents don't have a car, or alternate travel means, and rely on MBTA travel services. Students and retirees have limited incomes, if any, and both the fare increases and service cuts (e.g., buses) would greatly affect them.

MBTA officials handed out a printed statement from Boston Mayor Thomas Menino, which read in part:

"The MBTA provides absolutely critical services to Boston residents, commuters, and visitors. As a transportation hub and economic engine of the region, Boston is uniquely affected by the state of our public transit system... Many administrations have simply passed the buck onto the next administration -- and now the MBTA must find a way to operate with an enormous structural deficit. However, riders should not be forced to shoulder the entire weight of the debt..."

I did not see any reporters from the news media. Several activist groups attended the meeting, spoke, and handed out flyers. The groups included the Coalition to Fund Our Communities, Transportation For Massachusetts, Socialist Equality Party, and Global Exchange. So, there are plenty of ways for residents to get involved and have your voices heard. Contact your elected Massachusetts state representatives today!

The MBTA has scheduled upcoming community meetings for:

• Monday, February 6: Lowell
• Tuesday, February 7: Lynn
• Wednesday, February 8:, Boston (West End) and Hingham
• Monday, February 13: Boston
• Tuesday, February 14: Framingham
• Wednesday, February 15: Quincy
• Thursday, February 16: Malden
• Tuesday, February 28: Somerville
• Wednesday, February 29: Cambridge
• Thursday, March 1: Waltham
• Tuesday, March 6: Brockton

Visit the MBTA website for exact meeting locations.

California Modifies Its Data Breach Laws To Improve Notification

Loeb and Loeb LLP reports that California has modified its security breach rules to expand notification. The revised law goes into effect January 1, 2012. Notification letters to consumers must include:

• A list of the types of personal data exposed,
• The date(s) or date range of the data breach,
• A description of the data breach,
• Whether or not an investigation by law enforcement delayed the notification, and
• The toll-free phone numbers and addresses of the major credit reporting bureaus

Consumers must be notified in writing, unless law enforcement views notification as an obstacle to criminal investigations. Organizations with breaches affecting more than 500 California residents must also notify the California Attorney General's office. According to Loeb and Loeb, the organizations that must comply with Senate Bill 24:

"... any agency, person, or business that owns or licenses computerized data that includes personal information. In the event of a security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, that agency, person, or business must issue a security breach notification."

Loeb & Loeb LLP provides a variety of services for its Fortune 100 clients, including media and technology, antitrust, finance, corporate and securities, energy, and more. The firm has about 300 attorneys with offices in Los Angeles, New York, Chicago, Nashville, Washington, DC, and Beijing.

These California modifications are good, because too many breach notifications lack details. More disclosure is better since it helps breach victims judge the severity of the breach. I have read several and some states post online the breach notices received by their state judicial agency.

A Wide Variety of Scams Target Senior Citizens

The Detroit Free Press reported about a local workshop to help seniors stay alert about a variety of fraud schemes run by scam artists:

"Michigan AARP says, based on a recent survey, that 79% of its members are concerned about fraud... Seniors are losing $2.9 billion a year nationwide to financial abuse..."

Seniors are vulnerable, since many live on a fixed income and seek ways to to increase their income due to financial pressures and fears. Scam artists use these fears.

FBI agents spoke to seniors at the Fraud Fighter College workshop at Marygrove College. Linda Cena, a securities manager at the Michigan Office of Financial and Insurance Regulation also spoke. Cena advises seniors to call her office to verify brokers and investments before investing large sums of money. Residents in other states can often find identity theft and scam resources in the division of insurance, secretary of state, or attorney general offices in their state government.

Typical scams targeting seniors include:

"... con artists promising a shopping spree in return for a small processing charge on a debit card to crooked financial advisers talking someone into shifting retirement money from a 401(k) plan into a self-directed IRA, and then putting that money into some fraudulent movie scheme. And, yes, a grandson or granddaughter on drugs can become a predator, too."

Experts warn seniors, and their caregivers, that the best defense against identity theft and fraud is to not disclose personal and financial information -- especially over the phone. Another tip: don't leave papers with sensitive information lying on tables around the home where visitors can steal valuable data like Social Security numbers.

Massachusetts Attorney General Sues Five Banks For Alleged Foreclosure and Loan Servicing Abuses

Earlier this month, the Massachusetts Attorney General's office filed a complaint against five national banks for alleged abuses involving fraudulent documentation in home foreclosures (commonly referred to as “robo-signing”), foreclosing without holding the actual mortgage, and failing to uphold loan modification promises to Massachusetts homeowners. The banks named in the lawsuit:

• Bank Of America, N.A. (and its BAC Home Loans Servicing LP subsidiary, formerly Countrywide),
• JP Morgan Chase Bank, N.A.,
• CitiBank, N.A. (and its CitiMortgage subsidiary),
• GMAC Mortgage, LLC, and
• Wells Fargo Bank, N.A.

Also named in the complaint (Adobe PDF, 4.1 MBytes) was MERSCORP, Inc. which owns and operates the MERS System, a national registry that tracks ownership and servicing rights in residential mortgages loans. The Massachusetts AG alleged:

"... the banks used false documentation in the foreclosure process, including so-called “robo-signing”, whereby bank personnel signed affidavits that were untrue, or not based on the signor’s actual knowledge. An entity wishing to foreclose on a property must demonstrate it has filed an affidavit in compliance with Massachusetts law... Filings with various Registers of Deeds provided to the Attorney General’s Office revealed the pervasive use of mortgage service employees to sign hundreds of affidavits and sworn statements without personal knowledge of the information contained in those affidavits. Evidence also suggests these practices were not confined to the foreclosure process, but also used in the assignment, transfer and modification of mortgages..."

About alleged foreclosure abuses:

"... these five entities participated in unlawful foreclosures when they commenced foreclosures on mortgages where they were not the holders of those mortgages. The Supreme Judicial Court (SJC), in Commonwealth v Ibanez, recently upheld Massachusetts law and stated that “only the present holder of a mortgage is authorized to foreclose on the mortgaged property.” The complaint alleges that these entities ignored this fundamental legal mandate and proceeded to foreclosure even though they did not hold the mortgage... The banks’ failure to obtain a valid assignment of the mortgage prior to foreclosure has adversely impacted titles to hundreds, if not thousands, of properties..."

And, about alleged failures regarding home loan modifications:

"... the banks deceived and misrepresented to borrowers the process, requirements, and availability of loan modifications. The banks publicly claimed to be engaged in widespread loan modifications aimed at preserving home ownership and avoiding unnecessary foreclosures. Through the National Homeownership Retention Program, which commenced on November 6, 2008, these banks represented that they would work with borrowers to help them avoid unnecessary foreclosures by reducing monthly mortgage payments to affordable and sustainable levels. The complaint alleges these banks misled borrowers about their eligibility for this program and the amount of relief available, failed to achieve a significant level of modifications, and often strung along borrowers for months in trial modifications that were ultimately rejected."

ICO Updates Requirements For Data Breach Disclosures

The Information Commissioner’s Office (ICO) recently updated its data breach disclosure regulations for ISPs and telecommunications providers in the United Kingdom. To make reporting requirements easier for businesses, the ICO suggests that companies submit a list of data breaches monthly.

However, companies would still need to report major breaches in detail and separately. The existing regulations require companies' breach disclosures to include:

"The nature of the breach; the consequences of the breach; and the measures taken or proposed to be taken by the provider to address the breach."

The existing regulations require companies to maintain a log of any breaches affecting consumers personal information, and to provide affected consumers or customers with a breach notification covering:

"The nature of the breach; contact details for your organisation where they can get more information; and ow they can mitigate any possible adverse impact of the breach."

Companies do not have to report data breaches where the data is protected by encryption. The ICO describes itself as:

"... the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals."

How To File A Complaint About A Bank

Recently, a friend posted this status message on Facebook:

"How does Bank of America stay in business? They continue to threaten and harass even after I have been assured that all issues have been resolved! Issues, by the way, created by their own incompetence! Who do I lodge a complaint with?"

Consumers have several resources to help them with filing a complaint about a bank. Since my friend lives in Massachusetts, first I directed her to the Massachusetts Division of Banks, which regulates banks that operate within the state. This can include help with or submitting a complaint about abuses involving mortgage foreclosures or checking/savings accounts.

If your "banking" problem includes stock or securities fraud, then consumers should consider filing a complaint with the Massachusetts Secretary of State. The responsibility of this administrative agency varies across states, and is based upon the constitution and laws of your state. In Massachusetts, the Secretary of State's office manages several important functions including investment securities, deeds, registration of corporations, elections, and public records.

If you live in a different state, then you can search online for the consumer protection bureau or consumer complaint board within your state that regulates banks. Most states have one.

A second resource is the Federal Deposit Insurance Company (FDIC), which insures banks and financial institutions operating within the USA. The link to the consumer complaint form is conveniently on the FDIC home page.

Sometimes, the problem includes both a bank and a retail company. Then, it is appropriate to submit a complaint the U.S. Federal Trade Commission (FTC), which regulates the activities of retail companies operating within the USA. It is appropriate for consumers to file complaints about deceptive marketing tactics, scams, identity theft, and other topics. The FTC operates a very comprehensive complaint process and database.

If your phone number is registered in the Do Not Call Registry and you belive a company has violated that telemarketing law, then you should file a complaint at the Do Not Call Registry website.

Related articles in this blog which you may also find helpful:

• How To Check Your Insurance Company's Complaint Record
• Received Poor Customer Service? How To Complain Effectively

Secret Memo Describes How Long Mobile Service Providers Store Your Sensitive Personal Information

The North Carolina Chapter of the ACLU recently obtained through a Freedom of Information Act request a U.S. Department of Justice document that described the length of time mobile phone service providers archive consumers calling and location information. The duration varies by both the type of information, and by the service provider (e.g., AT&T, Sprint, Verizon).

The types of information archived:

• Subscriber information (e.g., name, address, SS#, etc.)
• Call detail records (e.g., phone number dialed, duration, time)
• Cellular towers used by the caller (e.g., date, time, duration)
• Text message detail
• Text message content
• Pictures and photos
• IP session information
• IP destination information
• Copies of subscribers' monthly mobile statements/bills
• Payment history: amounts, dates, payment method
• Store surveillance videos
• Service applications

Sprint, Nextel, and Virgin Mobile keep subscriber information forever. Most service providers keep both call detail records and cellular tower location data for one to two years. While most providers don't store "text message content," Virgin Mobile retains "text message details" as briefly as 60 to 90 days, while AT&T keeps it for five to seven years. I not sure what the difference is as both text-message categories sound very similar.

When you enter a retail store, mobile service providers retain that information ranging from two weeks to two months. You can browse the DOJ chart here.

This is important for several reasons. First, should any of the mobile service providers suffer a data breach this document highlights the amount of information that could be lost or stolen. Second, the document outlines the type of information mobile service providers can provide government law enforcement when requested.

In my opinion, companies should disclose these data retention policies in their website policies. Why the secrecy? We consumers know you are collecting and archiving the data.

What is your opinion of these companies' data retention policies?

Doctor Paid $40K For Illegal Disposal Of Patients' Files

Last week, North Carolina Attorney General Roy Cooper announced that Dr. Ervin Batchelor, owner and operator of the Carolina Center for Development and Rehabilitation (CCDR), has paid $40,000 for the alleged illegal disposal of patients medical records.

In June of 2010, the CCDR dumped 1,000 patient files at the West Mecklenburg Recycling Center. The files contained names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, insurance account numbers, and health information for 1,600 people. Mecklenburg County officials contacted the Attorney General’s Office, which then launched an investigation into the illegal dumping.

Besides the fine, Dr. Batchelor has agreed to comply with both state and federal data security laws to protect patients' personal financial and medical information. The CCDR has already notified patients of the data breach. North Carolina law requires businesses and local government agencies to notify consumers affected by a data breach.

In North Carolina, organizations must also report data breaches to the Consumer Protection Division. A total of 889 breaches involving information about more than 3.3 million North Carolina consumers have been reported since state laws on security breaches took effect in 2005 and 2006. AG Cooper said:

“Any business you entrust with your information has a duty to keep it safe. Sensitive financial and health information should never be carelessly dumped, putting customers and patients at risk of identity theft.”

I agree. This is a good example of why it is important for all organizations that archive consumers' personal medical and financial information should have data security procedures in place to prevent data breaches. Unfortunately, several special interest groups have lobbied the U.S. Congress for exemptions to Red Flag Rules, notably physicians and accountants. Special interest groups often claim that the Red Flag Rules are an unnecessary and cumbersome burden.

Well, post data breach responses are a huge burden on organizations. The above fine is one of many costs. And, the improper disposal or theft of consumers' sensitive personal financial and medical information is a huge burden on consumers. Instead of wasting time and resources looking for ways to avoid protecting consumers' information, these groups should be doing the opposite. Protecting consumers' data is in both their and consumers' best interests.