Blogging For Civil Liberties Workshop at the ACLU of Massachusetts Conference

On Saturday January 26, 2008, I attended the first ACLU Massachusetts conference on Reclaiming Our Civil Liberties. The conference was a real treat for me, since I'd only read about Daniel Ellsberg, the keynote speaker. It was great to hear him live and hear his experiences about the Pentagon Papers. (See also the National Security Archive at GWU.) Ellsberg also discussed his views on the Bush administration, U.S. foreign policy, the Iraq war, the "Blue Dog Coalition" (for perspectives, see C-Span, Common Dreams , and the New York Times), and the oath of government officials to the Constitution (and not a personal oath to the President). Much of today's policies of expansive Executive privilege by the Bush administration are rooted in VP Cheney's tenure in President Nixon's administration.

I attended the conference both as a member and as a panelist. There were over 400 attendees, by my rough count. I spoke at a workshop titled, "Blogging for Civil Liberties." Christopher Ott, the Communications Manager of the ACLU of Massachusetts, chaired the panel. The other panelist was Charles Blandy, Co-Founder and Co-Editor of BlueMassGroup.com.

The workshop went smoothly. About 35 people attended this workshop. Charles spoke first and reviewed many of the well-known sites political blogs (such as Daily Kos and TPMmuckraker) consumers can use to learn about civil liberties and to participate in the blogosphere. My talk focused more narrowly on Ive Been Mugged as an example of citizen journalism, consumers' rights about identity protection, and notification laws after a corporate data breach. About 30 people attended this workshop and at least 400 attended the conference.

If you missed the conference, you can listen to the "Blogging For Civil Liberties" podcast (52 minutes, MP3 file, 23 MBytes). You can list to the podcast on any MP3 player, including the iPod. I'd like to thank Christopher Ott and the Massachusetts ACLU for making the podcast available. Thanks to Marilyn Humphries for the photograph.

[Note to readers: Sorry for the delay publishing this post. I would have published it sooner, but the podcast was only recently available.]

CVS And The State Of Texas AG Reach An Agreement Regarding Information Security

KLTV reported that the Texas Attorney General's office and CVS Pharmacy, Inc. agreed to a settlement to protect CVS customers from identity theft:

"The settlement resolves the state's April 2007 enforcement action against the nation's largest retail pharmacy, which was charged with violating state laws that govern the disposal of customer records containing sensitive personal information. Under an agreed final judgment obtained by the Attorney General, CVS will overhaul its information security program. The program must be fully documented in writing and contain administrative, technical and physical safeguards designed to protect the personal information of CVS customers. CVS also will pay $315,000 to the State of Texas, which will be appropriated for the investigation and prosecution of other identity theft cases, pursuant to the Identity Theft Enforcement and Protection Act."

The Attorney General's office took action after hundreds of documents containing customers' sensitive personal information (e.g., credit card numbers and expiration dates; prescriptions with date of birth, doctors names, medication type) were unlawfully dumped behind a CVS store in Liberty, Texas. The state will use the money to prosecute other identity theft cases.

Details about the settlement:

"... CVS must implement a new training program to inform its Texas employees about the company's enhanced information security procedures. The employee training program must provide employees with a review of CVS' privacy procedures and a review of state laws governing the disposal of customer records. The training program also must explain identity theft, its costs to individual consumers and businesses, and the importance of abiding by the company's disposal program."

Only Texas employees? This sounds to me like sensible and appropriate data security actions any and all companies should implement nationwide, without waiting for a state AG to sue them to comply. Forbes Magazine reported:

"... the improper disposal of this information was a violation of [CVS'] record retention and privacy policies, and CVS took appropriate disciplinary action,' the statement said. When the suit was filed last year, CVS said the store manager had been fired. Earlier this month, CVS Caremark agreed to pay almost $37 million to nearly two dozen states and the federal government to settle claims it billed Medicaid programs for a more expensive formulation of an antacid."

When disposing of customers' and employees' records, companies would be well advised to follow the advice in this National Law Journal article: "Shred It Or Regret It."

Washington State Passes RFID Anti-Skimming Law

There's some really good news about identity theft. The legislators in the State of Washington are keeping up with new technologies. During the last week of March 2008, ComputerWorld Magazine reported:

"Washington Gov. Chris Gregoire this week signed a bill making it a Class C felony to use radio frequency identification (RFID) technology to spy on someone. The bill was signed about a week after the Washington State Senate unanimously passed Bill 1031, which makes it a crime to intentionally scan people's IDs remotely without their knowledge and consent, for the purpose of fraud, identity theft or some other illegal purpose. The bill specifically cites RFID and facial recognition technology. Violators face a prison sentence of up to 10 years. In addition, if the illegally gathered data is used in a separate crime, up to 10 years could be added to whatever sentence violators receive for the second crime."

Why is HB 1031 important? First, according to the Seattle Times:

"The Senate took out an 'opt in' provision that would have made it illegal for any company or person to slip an RFID chip into objects such as loyalty cards or cellphones without consumer consent, said state Rep. Jeff Morris, D-Anacortes, the bill's sponsor. "This is a technology that the consumer is clearly unaware of unless it's pointed out to them," he said."

In other words, it is difficult to impossible for the average consumer to look at a credit card and tell if it is a standard card or an RFID card. When I've discussed RFID cards with most people, 99 out of 100 are  unaware of the RFID technology and its associated data security issues. Some type of legislation is sensible and appropriate. Plus, consumers need notification from card issuers.

Second, other federal legislation requires states to use RFID technology in identification cards. In Washington, HB 2729 governs the use of RFID in driver's licenses:

"As a state with many travelers who cross the border frequently, Washington has become a test bed for RFID. It's one of four states that have signed agreements with the U.S. Department of Homeland Security to use RFID technology in optional-enhanced driver's licenses that became available in January."

Third, most states do not have any laws about skimming for identity theft. So, criminals can steal identity data from RFID cards via skimming today with little risk. Fourth, there needs to be some type of coordination across countries because identity theft skimming poses risks for travelers.

If this situation is scary and unacceptable to you, I encourage you to write to your elected officials.

The State Of Missouri Launches New Anit-Fraud Web Site For Consumers

According to the Springfield News-Leader:

"Missourians concerned about fraud have another resource to protect themselves, according to the Missouri Secretary of State’s office. It is a new Web-based Missouri Investor Protection Center, www.MissouriSafeSavings.com created to help educate investors about potential scams... The Web site provides information on wise investing, recognizing and avoiding fraud and exercising investor rights."

The Missouri Secretary of State Office (SOS) built the web site to address the need for increased protection of Missouri seniors and their investments. The site also features:

• Senior Investor Protection Unit: a staff of attorneys, investigators, auditors and education specialists who investigate "new cases with senior-specific issues, provides investor education and holds outreach and education events"
• An online game to raise awareness about fraud scams and threats/li>
• Additional print publication and online resources

Congratulations to the Missouri SOS for providing this site to their residents. A good next step for the Missouri SOS would be to display online companies' data breach notification letters like New Hampshire does, so Missouri residents have a reliable source to see which companies aren't protecting their sensitive data.

Is A Total Surveillance Society Inevitable?

Recently, ZD Net Australia reported about the Legal Futures Conference at Stanford University in California. Several technologists and legal experts attended the conference. Many legal experts have again raised concerns that Web 2.0 has come at the expense of individual privacy. The article quoted an IBM technologist at the conference who said:

" 'A total surveillance is not only inevitable and irreversible, but also irresistible,' Jeff Jonas, distinguished engineer and chief scientist at IBM Entity Analytics, said during a panel on surveillance at the conference on Saturday. For example, imagine how convenient it would be to have RFID chips embedded in sunglasses so you could find them easily, Jonas said."

Is he serious? Inevitable? Irresistible? Just so I can find my sunglasses? Consider this:

"Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, acknowledged that she finds the location-based technology in her iPhone very convenient when she's trying to avoid traffic congestion but she doesn't want the government to be able to use that technology to track her down. The fact that all sorts of data about each of us is being gathered and is archived, searchable, and can be compiled to create profiles about each of us is what makes digital privacy intrusions so much scarier than pre-Internet life, she said."

Jeffrey Rosen, a law professor at George Washington University and legal affairs editor of The New Republic, warned of:

"... "privacy chernobyls," which he described as "new threats to privacy that have the potential to transform society in troubling ways". Examples include Facebook revealing more about its members than they care to have revealed and tracking their purchases without consent, as well as AOL inadvertently exposing search terms of 650,000 people in 2006."

Are attitudes in the USA unique?

"The perspective is different in other countries, Rosen said. Americans are, in general, concerned with preventing terrorism, while Europeans are concerned with protecting their individual privacy, he said. For example, the French will bare their breasts but not their salaries and mortgages, and the reverse is true in the US. "My fear is that the cultural differences will make thoughtful regulation difficult," Rosen said."

Probably the most important conclusion:

"Government regulation is necessary to ensure that consumers' privacy is adequately protected online, Granick and Rosen said. Orin Kerr, a professor at George Washington University Law School, said the Fourth Amendment can be applied to the online world in a way that balances individual rights with law enforcement  needs."

I find a total surveillance society easily resistible. Nor is it inevitable. We have a choice. What do you think?

Anti-Real ID Rebellion Spreads To California

On March 10, 2008, Wired magazine reported:

"Assemblyman Pedro Nava (D-35) introduced a non-binding resolution to that effect Monday afternoon in response to concerns about privacy, security and the high price of the federal mandate -- which the government's most recent estimate pegs at $4 billion nationally...Howard Posner, a policy consultant to the Transportation Committee, said that last year the committee contemplated moving legislation to accept Real ID, but reconsidered after 'looking at the cost, and the incredible inconvenience for driver's license holder and the privacy issues.' "

The Real ID Act and the proposed rules by DHS have important implications about how the federal government and states will manage, store, and update citizen's identification data -- and consumer privacy. How such an expensive, unfunded piece of federal legislation happened:

"Congressman James Sensenbrenner (R-WI) added the Real ID mandate to a must-pass defense spending bill in 2005, leaving the details to be determined by the Department of Homeland Security. After much delay, the final regulations were issued in February of 2008."

If the California legislature passes this resolution, then California would join a group of 17 states that have expressed opposition to the unfunded mandate:

"Three states have outright rejected Real ID, setting up a showdown on May 11, when the federal government says it will not allow residents of Montana, Maine, South Carolina and New Hampshire to use their state I.D. cards for federal purposes."

Consumers should notify their elected officials of any concerns you have with the Real ID Act. Learn more about the Real ID Act at this web site.

California Senate Approves Two Measures To Strengthen Identity Theft Laws

California has always led the way with strong identity-theft laws to help consumers. Recently, SC Magazine reported:

"The State Senate in California has passed by wide margins measures that require more extensive notification to consumers of data breaches, establish a central reporting center for breaches, and permit local prosecution of identity theft."

California legislators are trying to make it much clearer what the contents of a breach notification letter must contain. SB364 requires:

"... that consumers receive a clear, informative notification letter when their personal data kept by a business or public agency has been stolen. It also requires the state to establish a central reporting site to catalog security breaches... a security breach notification must contain the toll-free telephone numbers of the major credit reporting agencies – to allow consumers to put a hold on their credit – and the name and contact information of the business that has experienced a breach. The notice also must include the type of information, such as names and Social Security numbers, that might have been taken; the date of the breach and of its discovery; a general description of the breach; and the estimated number of persons affected."

This is great news! When IBM notified me of the IBM data breach, their notification didn't disclose the number of persons affected, nor did it disclose much describing the breach. After I called and spoke with IBM, they didn't disclose much more. The above law in my state would have been a big help.

California's legislators went even further with a second proposed law:

"... SB612, would allow identity theft to be prosecuted in the county in which the victim lives, which is not always the case now... The current California law permits prosecution in the county in which the theft occurred or the county in which the information was illegally used, both of which may be hundreds of miles away from the victim's home."

This too is great news, since it facilitates prosecution of the identity thief, who usually doesn't live in the same town or jurisdiction as the identity-theft victim.

However, these two bills are not law yet. Both bills must be acted upon by the California State Assembly. If you are a California resident, I encourage you to call your California State representatives and ask them to pass these two new laws. If you live elsewhere,  you should contact your state representatives and ask them why your state doesn't have strong laws like the ones California is considering.

Treat Consumers Personal Data Like "Nuclear Fuel"

Since I started this blog in July 2007, I've consistently argued that the risk period for consumers is very long after their personal data has been exposed, especially after a corporate data breach. This includes breaches of birthdate and SS#, not credit card accounts. According to an article in the Guardian Unlimited:

"We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back."

While this description sounds extreme, I have to agree with it. When IBM lost my personal data in February 2007, the personal data of mine and all of the other identity-theft victims is just as valuable today as it was a year ago. Identity thieves can open accounts, get loans, or get government identification with it. This is why I also lobby for far longer periods than one or two years of free credit monitoring services from companies that have a data breach. The risk period is long.

In the article, Corey Doctorow write not just about the descriptive data (name, birthdate, SSN), but all of the usage data attached to it:

"Data is acquired at all times, everywhere. For example, you now must buy an Oyster Card if you wish to buy a monthly travelcard for London Underground, and you are required to complete a form giving your name, home address, phone number, email and so on in order to do so. This means that Transport for London is amassing a radioactive mountain of data plutonium, personal information whose limited value is far outstripped by the potential risks from retaining it... All these people could potentially be identified, located and contacted through the LU data. We may say we've nothing to hide, but all of us have private details we'd prefer not to see on the cover of tomorrow's paper."

You're probably wondering how long entities should be allowed to keep this personal data private. When should it be destroyed? Given the increasing capacity for digital storage, that seems to be a worthwhile conversation to have in the USA, too. Regarding privacy, Doctorow, argues:

"A century is probably a good start, though if it's the kind of information that our immediate descendants would prefer to be kept secret, 150 years is more like it. Call it two centuries, just to be on the safe side. If we are going to contain every heap of data plutonium for 200 years, that means that every single person who will ever be in a position to see, copy, handle, store, or manipulate that data will have to be vetted and trained every bit as carefully as the folks in the rubber suits down at the local fast-breeder reactor... And what's worse is that we, as a society, are asked to shoulder the cost of the long-term care of business and government's personal data stockpiles. When a database melts down, we absorb the crime, the personal misery, the chaos and terror. The best answer is to make businesses and governments responsible for the total cost of their data collection."

The last sentence above is key. Entities, corporations or government agencies, decide to store personal data for long periods of time because it benefits them -- financially or otherwise. If they are going to enjoy those benefits, then it's fair for them to also accept the risks and costs. And the cost includes credit monitoring for consumers after their data has been exposed during a data breach.

Free credit monitoring for one year is not acceptance of the cost, in my view. Not even close. 15 or 20 years of free credit monitoring is far closer to the goal.

TSA Web Site Puts Travelers At Risk of Identity Theft

If you fly on commercial airlines, then you are aware of the constantly changing security rules. If you have a complaint about a travel  experience, you can submit it to the airline or to the Transportation Security Administration (TSA). According to the Washington Post newspaper:

"A government Web site designed to help travelers remove their names from aviation watch lists was so riddled with security holes that hackers could easily have stolen personal information from scores of passengers, a congressional report concluded yesterday. Thousands of people used the Web site, and as many as 247 submitted detailed personal information between October 2006 and last February, the report says."

And, it gets worse. It looks like the fix was in:

"Congressional investigators raised concerns about a conflict of interest in how the no-bid contract to create the Web site was awarded. The TSA employee who framed many of the contract's requirements and was in charge of overseeing the site was once employed by the firm that was awarded the contract -- Desyne Web Services, a small firm in Boston, Va. -- and socialized with members of the company... The TSA continues to use Desyne on various projects, the report said, and has awarded the company no-bid contracts worth about $500,000."

You can download the House Oversight report. I spent some time at Desyne's web site. I've seen better designed web sites with better designed navigation elements. I found the current TSA web site difficult to use and poorly organized. (Note: An an Information Designer in my day job, my role is to architect clients' web sites so they are easy to use from a user's point-of-view.)

The TSA has a history of producing less-than-optimal web sites. In his Surveillance State blog, Chris Soghoian described his experience with the TSA site:

"This site had a number of security vulnerabilities: it was not hosted on a government domain; its home page was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. Furthermore, the site was filled with typos and other errors, causing some to wonder whether TSA's site had been taken over by phishers... The site was only taken down after I discovered it in February 2007 and posted something to my blog. Shortly after, Wired and a number of other sites picked up the story, and TSA was shamed into pulling down the site."

No matter how the TSA representative tries to spin an answer, a no-bid contract isn't right. It doesn't smell right, either. We citizens aren't getting the best value for our dollars, either.

Social Here, Social There, Social Security Numbers Everywhere!

A friend , Catherine,sent me the link to this recent Washington Post newspaper article which highlighted a huge identity vulnerability in the USA. Frankly, there are millions of paper documents in federal, state, and local records which disclose consumers' Social Security numbers:

"Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."

This is a very dangerous situation. I cannot over-emphasize the risk. The large number of documents containing Social Security numbers with accompanying names, addresses, and birth dates makes it very easy for identity thieves to visit a local courthouse or government office and collect personal data from paper (and online) records documents.

While the federal law was changed in 2001 to remove Social Security numbers from documents, the law doesn't include documents produced before then and documents in state and local government records files:

"A recent spot-check found the nine-digit numbers -- introduced in 1936 to track employee earnings and benefits -- on hundreds of land deeds, death certificates, traffic tickets, creditors' filings and other documents related to civil and criminal court cases. Federal courts have banned the numbers from appearing on public documents since 2001... However, millions of paper records were filed across the United States before the laws and rules took effect. Generally, such records are not covered by the prohibitions. And court clerks said it would be virtually impossible to redact all of the Social Security numbers in them."

The article also highlights central Virginia activist Betty "B.J." Ostergren, who pushes lawmakers and government agencies to take sensitive personal data off state-run Web sites. Ostergren operates the thevirginiawatchdog.com site, which lists examples of public figures whose Social Security numbers have appeared in public records.

One thing we consumers can do is press our state and local politicians and government to protect our personal data which resides in records documents. The best summary:

"It's alarming, because the government should be setting the example in really trying to protect people's private information," said state Sen. Jamie B. Raskin (D-Montgomery). "Look, there's a whole criminal underground now that thrives on stealing people's credit cards and usurping their identity for as long as they can."

When Heads Must Roll (UK Data Breach)

Last week, and the BBC News reported:

"Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people."

Yes, you read that correctly. Not some families, but all families with children under 16. The missing (probably stolen) data covers sensitive details about 7.25 million families. The disks were lost during transport from HM Revenue and Customs (HMRC) to the National Audit Office (NAO). According to the New York Times:

"... the disks lost in Britain contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16."

While this data breach was not as big as the TJX/TJ Maxx breach, it was still a catastrophic data security lapse. The delivery package was not recorded nor registered. The data was password protected but not encrypted. The timeline reported by the BBC:

"The data was sent on 18 October and senior management at HMRC were told it was missing on 8 November and the chancellor on 10 November. Mr Darling said banks were adamant that they wanted as much time to prepare for his announcement as possible."

It would seem that both companies and government agencies in the United Kingdom are slow to inform their identity theft victims, just like in the United States. Gil Sever, the CEO of Safend, described clearly the HMRC data breach:

"This is a glaring and unfortunate example of what happens when organizational policy is not followed and enforced and adequate technological safeguards are not utilized...HMRCs data security issue was twofold: first the information was stored on a vulnerable medium with inadequate protection. Secondly, there was no monitoring procedure to track or record where the data was going or how it was being accessed.

Gee, that sounds a lot like IBM's data breach. Appropriately enough, heads began to roll at the HMRC:

"HMRC chairman Paul Gray resigned earlier after the latest incident came to light."

To my knowledge, nobody at IBM lost their job after IBM's data breach. Not even the delivery vendor that lost IBM's data tapes was fired. Where's the accountability? The consequences?

The Tangled Web of Data Breach Notification Laws

I recently read this in a post by Mark Tordoff at the Compliance and Security Connection blog:

"The issue is the variation between the different state consumer notification laws. Of the 38 states who currently have a law on the books, 18 require notification of any breach, while 20 require notification only when risk of harm is present. All 38 provide exemptions if the compromised data was encrypted. Finally, 24 states require that, in addition to the affected consumers, certain government officers or agencies must be included in their notification."

"Another variable is when the consumer must be notified. “Some states require that consumers be notified when their information is lost. Other states will allow the breached entity to perform some analysis to determine the degree of risk to consumers,” says Jorge Rey, information security and audit manager at independent accounting firm Kaufman Rossin Co. in Miami."

A good statement of the situation, but a narrow definition of the problem.

The problem is more extensive. As a nation we seem to be in our infancy regarding data breach notification and identity theft. A year ago, far fewer states had any type of identity theft laws. Before California in 2003, there were none. We still don't have a good profile of the typical identity thief. We still don't have a good profile of the number of companies that employ effective data security processes. (See the TJX debacle.)

Even with the above laws, some states have exceptions where the company is not required to notify identity-theft victims of its data breach. In Massachusetts' new identity theft law, there is one notification exception called "Substitute notification." If notification is too expensive for a company, they can opt for a more general notification approach (e.g., print or online ads) instead of notifying each identity theft victim individually via postal mail.

While a federal breach notification law seems tempting, I don't see it as an effective solution. Too many companies have business units in other countries or employ offshore outsourcing subcontractors -- methods to avoid the laws. Some companies (like IBM) archive employee and former employee data forever -- increasing the risks to the company and to its former employees. And the existing notification laws don't seem to cover the full scope of companies that trade consumers' sensitive personal data, like C.L.U.E. insurance reports from Choicepoint.

Canadian Officials Criticize TJX's Data Security

More about TJX from yesterday's Daily Business Update:

"Retailer TJX Cos. failed to put in place adequate security safeguards to protect customer information, the privacy commissioner of Canada said today."

TJX operates the Winners and HomeSense retail chains in Canada. The news article explained further:

"A joint investigation by Canada's commissioner of privacy and Alberta's privacy commissioner was launched after TJX, the Framingham-based operator of such chains as T.J. Maxx and Marshalls, disclosed in January that its computer system had been breached, resulting in the theft of millions of credit card and debit card numbers..."

Perhaps most importantly:

"The company collected too much personal information, kept it too long, and relied on a weak encryption technology to protect it - putting the privacy of millions of customers at risk..."

Do you still want to shop at Marshalls, HomeGoods, and/or TJ Maxx? First, read this background about TJX's out-of-court settlement. Then, read a January 2007 TJX press release about how TJX was improving its data security:

"[TJX] immediately engaged General Dynamics Corporation and IBM Corporation, two leading computer security and incident response firms. TJX has been working aggressively with these firms to monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information. These firms have assisted TJX in further securing its computer systems and implementing security upgrades."

Yep! That's the same IBM that suffered its own data breach in February 2007 and lost an undisclosed number of records with sensitive personal data about its employees and former employees.

Last, the N.H. Department of Justice web site posts copies of all data breach notification letters it receives. I checked the site this morning and noticed that TJX hadn't updated their January breach notification letter, portions of which contain old and obsolete information.

New ID Theft Law in Massachusetts

A prior blog entry discussed the pending identity theft legislation in Massachusetts. This month, our Massachusetts Governor signed a new identity theft law. According to the Boston Globe newspaper:

"Governor Deval Patrick signed legislation that requires businesses and government agencies to promptly notify consumers when private information such as Social Security and driver's license numbers have been lost or stolen. The law also allows residents to place a "security freeze" on their consumer credit reports to prevent identity thieves from fraudulently creating new accounts in their names. It also establishes rules for the disposal of old records containing personal information. Under those rules, state officials would be required to delete the first few digits of Social Security numbers when handling documents involving personal information if federal authorities don't require the full number. The law also requires companies and state agencies to destroy documents that contain personal information."

This is great news!!! While the new law won't stop all forms of ID theft and fraud, the Credit Freeze provision is far better and stronger protection than the existing Fraud Alert tool from the credit bureaus. I also like the portions of the law that clarify which personal data elements entities (e.g., companies and government agencies) can and cannot retain, and when state government entities should destroy documents with our personal data.

More good news... the new law mandates data breach notification by companies. According to an August 10, 2007 e-mail message I received from Janet S. Domenitz, Executive Director of MASSPIRG:

"The new law, which will go into effect in November, will address the crime of identity theft on several fronts. It will set standards for how consumer information is protected and disposed of by both businesses and government agencies. It will require companies that store this type of data to notify affected individuals if it is lost or stolen. And it allows consumers to proactively prevent identity thieves from opening credit in their name by blocking access to their credit reports through a 'security freeze.' "

I am still reviewing the draft legislation and the text of the new law, to understand the provisions that made it to the final version of the new law... especially:

• Penalties for corporate violators,
• Protections for ID-theft victims of data breaches by former employers,
• Details about the fees and administration of the new "security freeze" option,
• Promotional guidelines to inform consumers, and
• Guidelines for outsourcing and/or off-shoring personal data.

If you want to read the draft state senate and house bills, plus the new law (St.2007, c.82: Security Freezes and Notification of Data Breaches), there are links in the right column under "Massachusetts Resources."

Next entry: Mistaken for a car thief, ID theft victim jailed

New Hampshire Does It Right

To determine how well my state helps protect me against identity theft, I look at what other states have done. New Hampshire is one of the few states that are leading the way on identity theft protection for consumers. According to the Security Bytes blog:

"There are a few states that demand that organizations that suffer security breaches that compromise customer data report those incidents to the state as well as the affected individuals. One of those forward-thinking states is New Hampshire, and the state has gone a step further and decided to post to its Department of Justice Web site all of the notification letters it receives. The archive only goes back to November 2006 right now and includes a few dozen entries, but that will grow as more companies are breached."

At the NH site, you can view IBM's data breach notification dated April 26, 2007; more than two months after the February 2007 data breach incident. I received IBM's notification in May 2007, and my letter didn't even have a date printed on it. Is that how a world-class computing and software company operates?

Congrats to New Hampshire and to its citizens! I look forward to similar efforts by Massachusetts and other states. Does your state post data breach notification letters online? If so, tell us below. I've Been Mugged readers want to know.

Next entry: Opt-out Resources for Consumers

New ID Theft Law in Minnesota

To determine how well my state helps protect me from ID theft, I look at what other states have done. On July 31, 2007 the Caveat Emptor blog wrote:

"Starting tomorrow, a new law takes effect in Minnesota that will prohibit merchants from storing a customer’s PIN, CVV security code, or magnetic stripe information for more than 48 hours. In another year, the penalty provisions of the law kick in, which allow a banks to sue merchants for security breaches. The law essentially gives teeth to security standards already put in place by Visa, MasterCard, and American Express."

This Minnesota law helps prevent payment fraud where an ID thief has stolen a customer's credit card information. Retailers can still retain the customer's card number, expiration date, and card name. My impression is that this new law was facilitated by the TJX breach.

There are some good comments by readers on The Consumerist blog about the advantages and disadvantages of this new law. One reader commented:

"In order to settle with the card companies and handle disputes, retailers have to retain this data [name, card number, and expiration date]. Mastercard allows 12 months for disputes, Visa 18 months, and AmEx 24 months. Your data will be retained for some period, I guarantee it. If it was not retained, then card fraud would increase dramatically and costs would go up even more. The problem is keeping unnecessary data and not controlling properly the usage, retention, and storage. Security requirements (known as the PCI DSS) mandated by Visa, Mastercard, Discover, and AmEx already prohibit storage of the information mandated in this law. Not that MOST merchants are compliant. Maybe this will help. Maybe. What this will do is help the merchant banks, card issuers, and card companies further push liability for breaches to merchants. This is NOT necessarily a good thing, although there is a certain amount that needs to happen. I don't want to debate here the extent that a company should go to to protect personal data. The bar needs to be higher than it already is, but regulation in this area will ultimately only lead to INNEFECTIVE and EXPENSIVE security controls, instead of useful ones."

Another reader commented:

"For a receipt lookup, a store could easily get away with storing just the last 4 of the card number and expiration date and then doing a match in their database with that and the UPC. Store the cardholder's name too, so in the one-in-a-gajillion chance someone else with the same last 4 and same expiration date bought the exact same item as you, the cashier can just ask you for the name on the card and match it up."

I wonder which other states provide a law similar to this new one in Minnesota.

To me, a law like this is a step in the right direction. A better law would have been to limit retailers to storing only the last 4 digits of the consumer's credit card number. Regardless, this new law is good news since it, a) clarifies who is responsible for what (e.g., the retailer vs. the credit card company; b) specifies what personal data should be retained vs. destroyed and by when; and c) provides consumers with greater protection against identity theft.

However, this new legislation is limited in that it seems to focus on retail data breaches. The Privacy Rights Clearinghouse has compiled since 2005 a list of data breaches, which documents both retailer and employer data breaches. Hence, effective legislation needs to focus on both retailer and employer breaches: a ) how long employers can retain unnecessary personal data about former employees, b) the personal data employers are allowed to retain, c) the personal data employers must delete and by when, and d) penalties for violators.

In a prior blog entry, I discussed how IBM updated my 16-year-old personal data; an update approach it probably did for many other former employees, too. What do you think?

Next entry: Fun with ID Theft

what’s the big deal about identity theft?

In September 2003, The U.S. Federal Trade Commission issued the results of its identity theft study which estimated that 27.3 million people  were identity theft and fraud victims with “… [2002] identity theft losses to businesses and financial institutions totaled nearly $48 billion and consumer victims reported $5 billion in out-of-pocket expenses.”

The FTC found about the frequency of identity theft:

1.5% of survey participants: their personal information had been misused to open new credit accounts, take out new loans, or engage in other types of fraud, such as misuse of the victim’s name and identifying information when someone is charged with a crime, when renting an apartment, or when obtaining medical care. The FTC calls this “New Accounts & Other Frauds’ ID Theft.” Projected to the entire population, this result suggests that almost 3.25 million Americans were victims during the past year.

2.4% of survey participants: the misuse of one or more of their existing credit cards or credit card account numbers, during the past year. The FTC calls this “Misuse of Existing Credit Cards or Card Numbers.”

0.7% of survey participants: the misuse of one or more of their existing non-credit card accounts during the past year. Examples: checking account, savings accounts, or telephone accounts. The FTC calls this “Misuse of Existing Non-Credit Card Accounts or Account Numbers.”

For all types of identity theft combined, 4.6% of survey participants were identity theft victims during the past year. The FTC estimates that almost 10 million Americans were identity theft victims.

The FTC found that the rates were higher when a longer time period was considered:

“4.7 percent of survey participants reported that they had discovered that they were victims of “New Accounts & Other Frauds” ID Theft during the previous 5 years. 6% said that they had discovered that they were victims of the “Misuse of Existing Credit Cards or Card Numbers,” while 2% indicated that they were victims of the “Misuse of Existing Non-Credit Card Accounts or Account Numbers.” In total, 12.7% of survey participants reported that they had discovered the misuse of their personal information within the last 5 years.”

The cost of the theft to consumers varies by the specific type of identity theft:

"On average, victims of “New Accounts & Other Frauds” ID Theft indicated that the person or persons who misused the victim’s personal information had obtained money or goods and services valued at $10,200 using the victim’s information."

Combine results from “Misuse of Existing Credit Cards and Credit Card Accounts Only” ID theft, “Misuse of Other Existing Accounts” ID theft, and “New Accounts & Other Frauds,” and the cost of “this crime approaches $50 billion per year, with the average loss from the misuse of a victim’s personal information being $4,800.”

“Looking at all forms of ID Theft, victims estimated that they had spent $500 on average to deal with their ID Theft experience. Victims of the “New Accounts and Other Frauds” type of ID Theft estimated that they had spent almost $1,200 on average.”

“Victims of ID Theft also spend a considerable amount of their own time resolving the various problems that occurred because of the misuse of their personal information. On average, victims reported that they spent 30 hours resolving their problems. On average, victims of the “New Accounts and Other Frauds” form of ID Theft spent 60 hours resolving their problems.”

15% of ID Theft victims said that thieves misused their personal information in non-financial ways. Examples: presented the victim’s name and identifying information during a traffic stop; during an arrest or charged with a crime.

The FTC has distributed 1.2 million copies of the booklet “Identity Theft: When Bad Things Happen to Your Good Name” in English or Spanish between February 2000 and September 2003. Since then, newer materials available at the FTC's Identity Theft web site.

Next entry: how consumers respond to identity theft crime