Several Websites Are Dark Today To Protest SOPA And PIPA

To protest the proposed SOPA and PIPA legislation in the U.S. Congress, several websites have gone dark for the day. Critics of the legislation are concerned about the legislation's negative impacts on jobs and on free speech on the Internet. You could call the proposed legislation an online mugging.

Some of the websites that have promised to go dark on Wednesday:

• Free Press
• iSchool at Syracuse University
• MoveOn.org
• Mozilla
• Reddit
• TwitPic
• Wikipedia
• WordPress
• XDA Developers

Other websites, like Google, support the protest by remaining available but with anti-SOPA and anti-PIPA messaging:

"End Piracy, Not Liberty"

In December, GoDaddy reversed its support of SOPA after many users protested by moving their websites to competitors' hosting services.

If you want to learn more about the online protest, read this. If you want to learn more about SOPA and PIPA, read the analysis by EFF. The text of the SOPA legislation is here. ABC News has a basic summary.

California Modifies Its Data Breach Laws To Improve Notification

Loeb and Loeb LLP reports that California has modified its security breach rules to expand notification. The revised law goes into effect January 1, 2012. Notification letters to consumers must include:

• A list of the types of personal data exposed,
• The date(s) or date range of the data breach,
• A description of the data breach,
• Whether or not an investigation by law enforcement delayed the notification, and
• The toll-free phone numbers and addresses of the major credit reporting bureaus

Consumers must be notified in writing, unless law enforcement views notification as an obstacle to criminal investigations. Organizations with breaches affecting more than 500 California residents must also notify the California Attorney General's office. According to Loeb and Loeb, the organizations that must comply with Senate Bill 24:

"... any agency, person, or business that owns or licenses computerized data that includes personal information. In the event of a security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, that agency, person, or business must issue a security breach notification."

Loeb & Loeb LLP provides a variety of services for its Fortune 100 clients, including media and technology, antitrust, finance, corporate and securities, energy, and more. The firm has about 300 attorneys with offices in Los Angeles, New York, Chicago, Nashville, Washington, DC, and Beijing.

These California modifications are good, because too many breach notifications lack details. More disclosure is better since it helps breach victims judge the severity of the breach. I have read several and some states post online the breach notices received by their state judicial agency.

Senator Schumer Asks Cellular Carriers To Deactivate Stolen Cell Phones

When cellular phones are stolen, often the cellular service provider remotely deactivate the SIM card in the stolen phone. While a deactivated SIM card prevents thieves from accessing the victim's contacts and email, thieves can insert a replacement SIM card and then either use or resell the stolen phone. To deter thefts, Senator Charles Schumer (D-New York) believes that phone companies should do more.

Last week, the Senator wrote a letter to several cellular service providers asking them to deactivate stolen cellular phones. That would make it impossible for thieves to use or resell stolen cell phones. CBS New York reported that New York City ranks second behind Miami in the number of stolen cellular phones annually. According to data from the New York Police Department:

"Forty-one percent of all thefts in New York involve a cell phone, meaning the cell phone is stolen alone or the cell phone is stolen with other goods..."

According to the Senator, the technology already exists today to remotely deactivate stolen cellular phones. Reportedly, on Verizon currently deactivates stolen cell phones. AT&T, T-Mobile, Nextel, and other cellular service providers don't.

Yeshiva World reported:

"IMEI numbers, unlike SIM cards, are assigned exclusively to each cell phone and are not replicated. In the United Kingdom, carriers have the ability to disable handsets based on IMEIs, serial numbers, or other unique identifiers. This prevents criminals from swapping SIM cards to activate a stolen cell phone."

The Senator's proposal makes sense to me. When your credit card account is hacked or your credit card is stolen, your bank will issue you a replacement account and/or credit card. Cellular service providers can do the same.

What do you think of the Senator's proposal?

Comparison Of The Current Data Breach Bills In Congress

There is a good article by the Center For Democracy And Technology (CDT) which compares the current data breach bills in the U.S. Congress. I discussed this proposed legislation in this prior blog post. The CDT reported:

"... there are a number of pending data breach bills, including Representative Rush’s DATA, Representative Bono Mack’s recently marked up SAFE Data Act, and Senators Pryor and Rockefeller’s (acronym-free) Data Security and Breach Notification Act. Other pending legislation, including Senator Leahy’s Personal Data Privacy and Security Act as well as the White House’s Cybersecurity Proposal, also addresses data breaches."

This proposed legislation is important because:

"Current federal law requires notification of consumers in the event of a breach only in limited circumstances, while nearly every state has its own version of a data breach law. Congress is now looking to simplify data breach laws with a national standard, but the question is whether such a standard would be a step forward for consumers. It’s an issue, that CDT has been following since at least 2005."

Whenever politicians want to "simplify" something, it's usually time to start worrying. What may be simpler for corporations and organizations could place consumers' sensitive personal information at risk. And, the usually players will argue about the cost burdens on companies. Let's remember the burdens on consumers, too, who typically have fewer resources.

When I read proposed legislation, I consider it effective data breach legislation when it addresses all of the following components:

1. Definition of personal information. This can be tricky. Just as there are various data elements available about consumers today (e.g., GPS location data attached to photos, images, tweets, social media posts, etc.) that didn't exist 5 or 10 years ago, future technologies will contain new data elements that don't exist today.
2. Define organizations covered by this law. It should cover all organizations in both the private and government sectors. in prior "Red Flag" legislation, attorneys gained an exclusion
3. Dictate how data should be protected (e.g., if electronic records, then encryption) both during transmission and during storage. The legislation has to assume that a variety of identity-theft criminals and hactivists will continually attempt to hack or breach websites containing sensitive consumer information. Prior legislation seemed to assume the traditional data storage within a company's premises. Futurre legislation must assume traditional and cloud-computing storage. Ideally, certain types of sensitive personal information shouldn't be "stored in the cloud."
4. Define the types of events (e.g., a minimum number of records exposed, doemstic locations, international lcoations) that trigger notification
5. Define the parameters of notification (e.g., personal letter via snail mail, ads in news media)
6. Define the assistance provided to breach victims (e.g., consumers, employees, customers). There is no standard definition of "credit monitoring" which may or may not include credit monitoring, quarterly or real-time updates, real-time notices, credit resolution, insurance, and credit scores. Typically, companies offered one or two years of free credit monitoring services. This length is insufficient given the high value and long life of various data elements (e.g., Social Security Numbers).
7. Effect on state law. According to the National Council of States Legislatures (NCSL), at October 2010 about 46 states in the USA plus Puerto Rico and the U.S. Virgin Islands have breach notification laws. The four states lacking breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota. Weak federal legislation that supercede state law would be a step backwards for residents in states with strong breach notification and data security laws.
8. Fit with existing law. There are existing laws for medical and financial informaton. New breach legislation should not weaken these existing laws.
9. Contain sufficient penalties for violators. This can't be a simple "slap on the hand," and must contain sufficiently high fines and/or jail time for repeat offenders.

Breach Notification And Privacy Laws

Australia may be falling behind other countries in implementing data breach notification laws to require companies and government agencies to notify consumers when their personal information has been exposed or stolen. ZDNet Australia reported:

"Australia currently doesn't have any legislation to force companies to disclose breaches, even though it was recommended as part of the Law Commission's report on privacy, released in 2008."

The article summarized existing breach notification laws or pending legislation in several countries:

"Internet and telecommunications service providers in the UK are also already required to disclose when they have experienced a breach. However, the EU commissioner said last month that she wanted to extend this to all businesses... New Zealand doesn't have any breach notification laws... Canada has a Bill that is proceeding through parliament that will require businesses to disclose data breaches if they may result in a "real risk of significant harm". Until this is passed, its Federal Privacy Commissioner has issued guidelines for organisations to follow in the event of a breach, but these are voluntary."

According to the National Council of States Legislatures (NCSL), at October 2010 about 46 states in the USA plus Puerto Rico and the U.S. Virgin Islands have breach notification laws requiring notification when consumers' personal information is disclosed. The four states lacking breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota.

If you live in one of those four states without breach notification laws, you might want to ask your elected officials why.

The need for legislation in the USA is driven not just by data breach notifications but also to protect consumers' privacy. The Do Not Track opt-out setting for consumers is largely ignored by advertisers. Plus, ARS Technica reported:

"... the United States and Turkey are the only developed nations in the world without a comprehensive law protecting consumer privacy. European citizens have privacy rights, Asian citizens have privacy rights, Latin American citizens have privacy rights. In the US, however, in lieu of a comprehensive approach, we have a handful of inconsistent, sector-specific laws around particularly sensitive information like health and financial data..."

Given the state of privacy legislation in the USA and the tendency of consumers to avoid reading the terms of use and privacy policies for products and websites, the result has been that companies':

"... risk-averse lawyers have figured out that the best way to not violate [FTC guidelines] is to not make explicit privacy promises at all. For this reason, corporate privacy policies tend to be legalistic and vague, reserving rights to use, sell, or share your information while not really describing the company’s practices. Consumers who want to find out what’s happening to their information often cannot, since current law actually incentivizes companies not to make concrete disclosures."

Various legislation proposed in the U.S. Congress:

• The Data Breach And Security Act of 2011: re-introduced in June by U.S. Senators Mark Pryor (D-Arkansas) and John D. (Jay) Rockefeller IV (D-West Virginia) to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide breach victims with tools to protect their credit and finances.
• The Secure and Fortify Electronic Data Act (a/k/a the SAFE Data Act) introduced by Mary Bono Mack (R-California),Chairperson of the House Subcommittee on Commerce, Manufacturing, and Trade, to establish national standards for data security and breach notification.
• The Best Practices Act introduced by Bobby Rush (D-Illinois) in February 2011
• The Consumer Privacy Protection Act introduced by Cliff Stearns (R-Florida) in April 2011
• Do Not Track legislation introduced in the State of California Senate

I have not yet read the entire text of all four bills, and will do so once the content settles after revisions and consolidations.

FTC Testifies before Congress About Mobile Privacy

With several mobile device tracking, data collection, and app abuse issues emerging recently, it is important to know the position of one of the chief regulatory agencies in the United States. On May 10, Jessica Rich, Deputy Director of the Bureau of Consumer Protection at the U.S. Federal Trade Commission (FTC), testified before the Senate Judiciary Committee Subcommittee for Privacy, Technology and the Law about mobile device privacy.

Rich first cited some CTIA statistics: wireless penetration of 96% in the United States with 27% having smart phones. During 2010, about 62% of marketers used some form of mobile marketing for their brands.

Rich emphasized that the FTC has explored mobile and wireless issues since 2000, and hosted mobile wireless and consumer privacy workshops that explored some of the issues. As additional proof of the FTC's commitment to mobile privacy for consumers, Rich cited FTC actions against:

• Google for allegedly deceiving consumers by using information collected from Gmail users to generate and populate a new social network, Google Buzz, without users’ consent,
• Twitter for serious lapses in the company’s data security that allegedly allowed hackers to hijack accounts and to obtain access to private “tweets” and non- public data,
• Reverb Communications for alleged deceptive mobile gaming endorsements in the iTunes store,
• Philip Flora for using 32 pre-paid cell phones to over 5 million unsolicited text messages to the mobile phones of U.S. consumers.

Based upon several privacy roundtable discussions, the FTC drafted a preliminary report with privacy recommendations:

"First, staff recommends that companies should adopt a "privacy by design" approach by building privacy protections into their everyday business practices... Second, staff recommends that companies should provide simpler and more streamlined privacy choices to consumers. This means that all companies involved in data collection and sharing through mobile devices -- carriers, handset manufacturers, operating system providers, app developers, and advertisers -- should work together to provide these choices and to ensure that they are understandable and accessible on the small screen... Third, the staff proposed a number of measures that companies should take to make their data practices more transparent to consumers, including improving disclosures to consumers..."

All of this was nice a start, but the FTC's position is still weak and is heavily tilted for corporations at consumers' expense. More balance is needed.

As I read the FTC' Richs testimony (PDF), the recommendations are not mandatory but voluntary. And she skipped an important issue: that most or all tracking programs are opt-out based (e.g., where consumers are automatically included), instead of opt-in based (e.g., where consumers are in control and must opt-in or register first before companies can track them).

What do you think?

Facebook And Google Claim The "Do Not Track" Bill Is Bad For The Economy

In a letter to the California legislature (PDF), several companies including Facebook and Google claim that the proposed "Do Not Track" law is bad for the California economy:

"California Senate Bill 761 would create an unnecessary, unenforceable and unconstitutional regulatory burden on Internet commerce. The bill covers an overly broad range of information, and would regulate indirectly virtually all businesses who collect, use or store information from a website. The measure would negatively affect consumers who have come to expect rich content and free services..."

The companies that signed this letter included Acxiom, Allstate, American Express, Experian, Facebook, Google, Acxiom, Reed Elsevier, Specific Media, Time Warner Cable, Yahoo, and others. The companies claim that SB 761 is unnecessary because:

"... consumers can easily opt out of the collection of data through browser tools. The four leading Internet browsers - Internet Explorer, Safari, Firefox, and Google Chrome - all provide user-friendly filtering options that block the ability of companies to collect data or track Internet use."

This is not entirely correct, as websites and companies are not required to honor the do-not-track request from the web browser. According to these companies, this is how California's economy could be harmed:

"SB 761 would create a second, conflicting set of standards to which companies would have to conform or else face class action lawsuits. This would, in turn, create significant confusion and uncertainty for investors, businesses and consumers. Online commerce would simply be unworkable if websites were forced to comply with a patchwork of privacy and notice laws. This would impose an unprecedented and arduous regulatory burden on Internet commerce. Further, a do not track requirement on the use of this data would stifle innovation..."

A patchwork quilt of laws? That is what we have today with breach notification and data security across states. If these companies can exist with a patchwork quilt of breach notification laws in one area, they can live with a patchwork quilt of laws in another area.

The bigger issue is that these companies have taken a strong stand for extensive tracking. How? These companies are content with opt-out as the program standard: consumers are always automatically included and the burden is on consumers to consistently opt-out. I have long argued in this blog for the program standard to be opt-in: consumers aren't included until the consumers chooses to register or opt-in.

Plus, I Facebook's objections to any limitations on consumer tracking is not a surprise to me, given Facebook's ties to Rapleaf, and how Facebook uses its social plugins to both deliver content and to track consumers across the Internet. When you visit a website with a facebook social plugin, Facebook captures the date and time of your visit, the web page visited, your IP address, your computer's operating system, and (if you are signed into Facebook) your Facebook user ID number. This data collection rivals what Google collects.

The letter has a "sky is falling" aspect to it. These companies operated well when the Internet had little or no tracking. They will survive regardless of the claims.

Proposed "Do Not Track" Law In California: Senate Bill 761

It's been a busy couple of weeks regarding privacy news, and unfortunately the Sony data breaches have temporarily pushed aside other important news. Since California led the way with data breach notification legislation for consumers, I definitely wanted to discuss the following news.

In February of this year, California Senator Alan Lowenthal introduced legislation (California Senate Bill 761) to provide consumers with greater protections and controls with mobile privacy. Since February, the original legislation has been amended a couple times. The latest bill revision at April 25 stated:

"... to adopt regulations that would require a covered entity, defined as a person or entity doing business in California that collects, uses, or stores online data containing covered information from a consumer in this state, to provide a consumer in California with a method to opt out of that collection, use, and storage of such information. The bill would specify that such information, includes, but is not limited to, the online activity of an individual and other personal information. The bill would subject these regulations to certain requirements, including, but not limited to, a requirement that a covered entity disclose to a consumer certain information relating to its collection, use, and storage information practices. The bill would, to the extent consistent with federal law, prohibit a covered entity from selling, sharing, or transferring a consumer's covered information. The bill would make a covered entity that willfully fails to comply with the adopted regulations liable to a consumer in a civil action..."

This bill starts to get a handle on the extensive data sharing by companies that most companies do not disclose in their website privacy and terms policies. Covered information includes consumers' online usage, including (bold text added for emphasis):

"... the Internet Web sites and content from Internet Web sites accessed; the date and hour of online access; the computer and geolocation from which online information was accessed; and the means by which online information was accessed, such as, but not limited to, a device, browser, or application... Any unique or substantially unique identifier, such as a customer number or Internet Protocol address... Personal information including, but not limited to, a name; a postal address or other location; an e-mail address or other user name; a telephone or fax number; a government-issued identification number, such as a tax identification number, a passport number, or a driver's license number; or a financial account number, or credit card or debit card number, or any required security code, access code, or password that is necessary to permit access to an individual's financial account."

That should sufficiently cover the UDID unique identifier in smart phones and mobile devices. I hope that more states pursue and adopt similar legislation. As reported in The Register UK:

"California stands to become the first US state to pass do-not-track legislation and is poised to beat any national law. The Do Not Track Me Online Act was only introduced to the US House of Representatives in Washington DC in February – that was by another Californian Democrat, Jackie Speier – and must navigate Capitol Hill's partisan log jam."

What I found most important for consumers to know:

"... the problem with do-not-track at the browser level is that there's no requirement on the web site to honor the do-not-track request."

The consumer advocacy group Consumer Watchdog sponsored the California legislation, and wrote this in an April 2011 letter Google (PDF):

"As you are aware, online commerce relies on consumer trust. Sadly, much of the current Internet business model is based on invasive and pervasive tracking of consumers’ online activities without their knowledge or control. This should not be the business model of a company whose motto is “Don’t Be Evil.” Do Not Track legislation would give consumers meaningful protection and control. It would build their confidence in the Internet – a win, win situation for business and consumer."

I agree with ConsumerWatchdog, as I have covered in this blog the pervasive and undisclosed online tracking in posts about tracking by credit reporting agencies, unannounced tracking with Fash cookies, persistent tracking with "zombie" cookies., and tracking by the advertising networks.

German Government Proposes New Data Breach Notification Law

In its "Privacy and Information Security Law" blog, the Hunton and Williams law firm announced that the German government has proposed a new data breach notification law:

"... telecommunications companies must report data breaches to the Federal Network Agency (the Bundesnetzagentur or “BNetzA”), and the Federal Commissioner for Data Protection and Freedom of Information. In the event the rights or protected interests of subscribers or other persons are affected by the data breach, such individuals also must be notified without undue delay."

While the notification of affected consumers is not required if the data is encrypted, the BNetza retains the right to require any telecommunications companies to notify consumers regardless of the data security protections in place at the time of the breach.

The new breach notification rules are part of broader changes under the European e-Privacy Directive, scheduled to go into effect in May of 2011. Other changes in these new European Union directives include tightened rules about how companies treat, collect consumers' data, and obtain consent with consumers' web browser cookies.

Privacy Quiz: Are You More Recognizeable Than Jackie O.?

Apparently, I am -- according my results of the Digital Privacy Quiz by the ACLU.

I took the online quiz the other day. It was easy and informative. The quiz helped me understand the ways we consumers are tracked, the lack of choice we face, and which of my online habits create risky to my privacy.

Most of the quiz uses a tongue-in-cheek approach with humor. So, don't expect a rigorous, serious-toned academic type quiz.

I like the phrase "digital privacy" because it is more than simply online privacy. It encompasses all of the ways companies collect information about consumers, and the variety of our habits that create information digitally.

Of course, the ACLU is interested in recruiting consumers to join their petition of Congress to tighten laws to protect consumers' digital privacy. Disclosure: I am and have been an ACLU member for many years. Also, I have spoken at a prior Massachusetts ACLU convention. I hope that you will take the quiz, and then read and sign the petition.

Last, a link for those who don't know who Jackie O. was.

To Help Consumers, New Credit Card Rules From The Federal Reserve Board

In February of 2009 this blog warned consumers about pending credit card interest rate increases. Yesterday, the Federal Reserve Board (FRB) announced new rules to protect consumers from unreasonable late payment and other penalty fees. The new rules prevent credit card issuers and banks from charging:

• Penalty fees that are more than $25 for late payments or violations of the account terms
• Penalty fees that exceed the dollar amount of the transaction. Example: credit card issuers cannot charge a $39.00 fee for a late payment that is higher than the minimum $20 payment. Now, that late payment fee cannot exceed $20.
• Inactivity fees when consumers don't use their credit cards to make purchases
• Multiple penalty fees based on a single late payment or other violation of the account terms.Now, banks can charge only a single fee.

In its announcement, the FRB also announced rules to require banks to reevaluate every six (6) months a consumer's credit card interest rate (e.g., the Annual Percentage Rate printed on your monthly statement). The bank must explain why they are increasing the interest rate on your credit card; or lower it within 45 days.

The new rules, which are part of Credit Card Accountability Responsibility and Disclosure Act of 2009, go into effect on August 22, 2010. I highly recommend that consumers read the FRB pages about the new credit card rules that start in August, and the credit card rules that already started in February 2010.

Will these new rules be enough? Will they protect consumers adequately? What do you think?

Wall Street, Financial Regulation, And The Need For Systemic Change

Past blog posts have covered some of the abuses of consumers by banks with credit card interest rate increasses. Our financial and banking system is so complicated, how can a consumer evaluate the financial reform discussion in Washington? How to evaluate the messages from reform advocates and opponents?

I found this episode of the Bill Moyers Journal very helpful. Moyers interviewed financial experts Simon Johnson and James Kwak about the factors that require systematic change and regulation in order to avoid a repeat of the 2008 financial system crisis. Johnson and Kwak are also co-authors of the book, "13 Bankers: The Wall Street Takeover and the Next Financial Meltdown."

After watching the Moyers Journal interview, the book is definitely on my must-read list. In my opinion, it should be on all voters' reading list. The interview covered some interesting topics:

• The management styles and habits typify Wall Street that led to the 2008 meltdown
• What needs to happen for real financial reform in Washington to be effective
• The nature of the threat from an "oligarchy" of 6 banks that control too much of our economy and Americans' deposits
• The case for breaking up the banks: too big to fail is too big
• Why regulation alone isn't enough
• What hasn't changed and how another financial meltdown can happen again
• It's not a partisan issue as neither party (Democrats or Republicans) are getting it right

Some excerpts:

"... according to Kwak, is that the legislation currently doesn't address the central problem of the crisis, that America's banks have grown 'too big to fail.' In fact, the problem has gotten worse, with just six banks holding assets in excess of 63% of the U.S. Gross Domestic Product. Kwak explains that the crisis actually made the surviving banks more powerful... these banks have gotten bigger, because they've bought each other. They've become more powerful. And they have an even stronger market position..."

During the interview, Moyers asked:

"Over the course of my lifetime, and my working career as a journalist, I've seen one regulatory agency after another taken over by the very industries they were supposed to regulate. Regulation requires a President who is committed to tough regulation. If you get a free market President like George W. Bush, you get regulation serving the industry... If you get a Democratic Party that's been compromised by its concessions and capitulations and contributions from Wall Street, you get a regulatory system that is a joke, and that's what we have. What's to ensure that the next regulatory system won't be a joke?"

And Johnson answered:

""The person who nailed this intellectually a long time ago was from the University of Chicago. George Stigler, not a man of the left, got a Nobel Prize [for concluding that] all industries end up with the industry capturing the regulators. What's happened to us is exactly what Stigler warned against, on a massive scale. The [Obama] Administration still argues that we should delegate responsibility, going forward, for lots of things around finance - like how much capital you should have - delegate that to the regulators... Now that's crazy. That's not acceptable. That's not what they should do, particularly because any Democrat should say 'well, wait a minute, the next free market president who doesn't believe in regulation [that] comes in will gut the system.' And any person from the right who's read Stigler should say 'well, those regulators are just gonna get captured.' You've got to put it in legislation..."

One blog that I will definitely start reading regularly is The Baseline Scenario. Sadly, Brooksley Born was right, and was shunned by supposed financial experts who knew better.

LPL Data Breach And Theft

Many companies and financial services Web sites advertise "bank-level" security. This news story is a sober reminder that data security is only as good as the employees who handle your sensitive personal information. Investment News reported:

"LPL Financial yet again has fallen prey to a technology blunder that placed private client information at risk. An unencrypted portable hard drive was stolen from the car of an LPL representative Feb. 24... The adviser, Christian D'Urso of StoneRidge Wealth Management in Beaverton, Ore., had one client in New Hampshire... As a result of the theft, private client information, including names, addresses, dates of birth and Social Security numbers “may have been breached,” Marc Loewenthal, LPL's senior vice president and chief security and privacy officer, wrote... This isn't the first time... In 2007, the firm reported that computer hackers had compromised the login passwords of 14 financial advisers and four assistants."

Reportedly, LPL has about 12,000 representatives and advisers, making it the nation's largest independent-contractor broker-dealer. What our government is (or is not) doing about data security at financial services companies:

"Neither the Financial Industry Regulatory Authority Inc. nor the Securities and Exchange Commission require notification of privacy breaches by advisers or firms, though a proposed amendment to the SEC's Regulation S-P would add this. That proposed amendment, 17 CFR Part 248, “Privacy of Consumer Financial Information and Safeguarding Personal Information,” was published in March of 2008 but remains pending."

In my opinion, FINRA and the SEC both should require advisors and firms to notify breach victims of data breaches. According to a company representative, the consequences to LPL advisers who lose client data start with a formal reprimand, increase to fines, and then to termination. A formal reprimand? That sounds too weak to me.

I want to know what the consequences are for senior company executives when their company experiences multiple data breaches; especially companies that handle other people's money.

New Data Security Regulations Start Today In Massachusetts

After several revisions, new regulations went into effect today in Massachusetts requiring improved protection of consumers' sensitive personal information. The Worcester Business Journal reported:

"The state’s new identity theft regulations known more formally as “Standards for the Protection of Personal Information of Residents of the Commonwealth” went into effect on March 1... companies that violate the regulations face penalties including civil fines of up to $5,000 per violation, three times actual damages for individuals affected by identity theft, and the reasonable costs of the investigation and litigation, including attorneys’ fees. Costs of the investigation alone can be in the millions of dollars."

The article explains the types of sensitive personal information businesses of all sizes must protect:

"Personal information is defined as a Massachusetts resident’s first and last name or first initial and last name in combination with one or more of the following: (a) social security number; (b) driver’s license number or state-issued ID card number; or (c) financial account number, credit or debit card number, with or without passwords or PINs. For most small businesses such personal information is readily found in employee personnel files and 401(k) forms and sometimes customer files."

Businesses must develop:

"... a comprehensive written information security program (WISP) designed to (a) ensure the security and confidentiality of “personal information” of residents of Massachusetts; (b) protect against anticipated threats or hazards to the security of the information; and (c) protect against unauthorized access to or use of such information."

Records or files containing personal information must be encrypted if they are transmitted over public computer/Internet networks or over wireless networks. A company's WISP must also address the actions it takes to protect the sensitive personal information it shares with vendors and third-party suppliers.

How Credit Cards Work: The Daily Show

The new credit card rules are now in effect. The video (~ 10 minutes) below explains what that means with humor:

The Daily Show With Jon Stewart	Mon - Thurs 11p / 10c
Make it Rain - Bank of America
www.thedailyshow.com
Daily Show Full Episodes Political Humor Health Care Crisis

Now you know why I do not have a credit card with Bank of America. Move your money today to a local bank or credit union.

How Consumers Should Prepare For New Credit Card Rules That Start February 22, 2010

An excellent article at Barnkrate.com lists five tips for consumers who use credit cards. You may remember that President Obama signed into law the Credit Card Accountability, Responsibility and Disclosure Act on May 22, 2009. Two provisions became effective last August, and more provisions become effective on Feb. 22, 2010. Here's what you need to know and do:

"1. Beware the advance notification exceptions. On Aug. 20, 2009, a provision that required 45 days' advance notification of "significant" terms changes took effect. It applies to fees and finance charges, as well as some rate increases. Loopholes in the law... the law doesn't require 45 days' advance notification for credit limit decreases.... Issuers also don't have to provide 45 days' advance notice of rate hikes triggered by a 60-day late payment, expiration of a promotional rate, termination or completion of a workout agreement, or shifts in a variable-indexed interest rate."

What you need to do:

"Read notices from your issuers, and verify the rate and credit limit each month when you get your monthly statement, especially before making a large purchase. Going near your credit limit can hammer your credit score."

Another important tip:

"2. Don't fall into retroactive rate-hike loopholes. Come Feb. 22, existing balances will be protected in most circumstances from a rate increase. If you miss the due date by two months or more, however, the APR applied to that debt can skyrocket. Owe a balance after a promotional rate expires and your rate can increase up to the regular APR."

Another important tip:

"4. Permission needed to go over-limit. Under the CARD Act, a purchase that exceeds the credit limit can't trigger an over-limit fee unless the cardholder has opted in to allow over-limit transactions. The consumer must be informed of the overlimit fee they will incur if they surpass their account limit."

What you need to do:

"The law doesn't prohibit approval of over-limit charges when the customer hasn't given permission for them, but does leave room for denial. If you need to go over-limit for whatever reason, you can switch on your over-limit privileges at any time, by making the request in writing, orally or over the Internet."

You have been warned. I encourage you to read the complete article and all five tips.

Frontline: "The Card Game"

Prior posts in this blog have covered the excesses by banks with consumer credit cards. Frontline's "The Credit Card game" program debuted yesterday. I highly recommend this excellent program:

"As credit card companies face rising public anger, new regulation from Washington and staggering new rates of default and bankruptcy, FRONTLINE correspondent Lowell Bergman investigates the future of the massive consumer loan industry and its impact on a fragile national economy. In The Card Game, a follow-up to the Secret History of the Credit Card and a joint project with The New York Times, Bergman and the Times talk to industry insiders, lobbyists, politicians and consumer advocates as they square off over attempts to reform the way the industry has done business for decades."

If you want to learn about the ways banks have rigged the financial system against consumers, watch this program. In an interview during the program, Nessa Feddis, a lobbyist from the American Bankers Association, made some totally irritating comments.

Check your local PBS station for more broadcast times, or watch the Frontline program "The Card Game" online.

Federal Data Breach Legislation Makes It Way Slowly Through Congress

These two Federal bills are worth watching. From Government Information Security:

"The Personal Data Privacy and Security Act, or S. 1490, designates as fraud unauthorized access of sensitive personally identifiable information, which would lead to racketeering charges. The measure, sponsored by Committee Chairman Patrick Leahy (at left), D.-Vt., also would prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim."

The second bill:

"The Data Breach Notification Act, or S. 139, would require federal agencies and businesses engaged in interstate commerce to notify American residents whose personal information is accessed when a security breach occurs. An exception: if notification would hinder national security or a law enforcement investigation. S. 139, sponsored by Sen. Dianne Feinstein, D.-Calif., also would require notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached has information on more than 1 million people, is owned by the federal government, or involves national security or law enforcement."

California Identity Theft Legislation (SB-20)

Earlier this week, SC Magazine reported that the California State Senate passed SB-20. This is good news for consumers. California Senate Bill SB-20 requires:

"... any agency, person, or business that must issue a security breach notification pursuant to existing law to fulfill certain additional requirements pertaining to the security breach notification, as specified. The bill would also require any agency, person, or business that must issue a security breach notification to more than 500 California residents pursuant to existing law to electronically submit that security breach notification to the Attorney General."

Current laws require companies and agencies to tell affected consumers only that a breach occurred, and don't require the disclosure of details about the breach (e.g., number of consumers affected, types of data lost or stolen, events that led up to the breach, status of the post-breach investigation, etc.). While California has led the nation in passing consumer-friendly identity-theft legislation, this new legislation fills a critical gap. The additional requirements in California Senate Bill SB-20:

"The security breach notification shall include, at a minimum, the following information:
(A) The name and contact information of the reporting agency subject to this section.
(B) A list of the types of personal information, as defined in subdivision (g), that were or are reasonably believed to have been the subject of a breach.
(C) The date, estimated date, or date range within which the breach occurred, if that information is possible to determine at the time the notice is provided, and the date of the notice.
(D) Whether the notification was delayed as a result of a law enforcement investigation.
(E) A general description of the breach incident.
(F) The estimated number of persons affected by the breach.
(G) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a bank account or credit card number, a social security number, or a driver's license or California identification card number."

In order to make timely and effective decisions to protect their sensitive personal data, consumers need to be fully informed about data breaches. In my experience, IBM's breach notice never disclosed the number of records lost/stolen or the number of consumers affected by its February 2007 breach. Nor did IBM disclose the results of its breach investigation, or even if it fired/reprimanded the vendor involved.

Earlier this month, my wife received a breach notice from her credit union. That notice lacked details about both the breach and the follow-up investigation.

The California Senate Bill SB-20 is a good bill. Thanks to California State Democrat Senator Joe Simitian for introducing SB-20. (He also sponsored SB-1386, the landmark 2003 identity theft legislation that paved the way for other states' identity theft legislation.)  I hope that the California Assembly approves it and that Governor Schwarzenegger signs it. I hope that other states pass similar legislation. If you agree, tell your elected officials today.

Massachusetts Gets Tough On Data Security (Part Two)

Yesterday's post discussed new legislation to protect Massachusetts residents. As you might expect, some businesses have protested the changes. Forbes Magazine reported:

"Massachusetts business owners and advocates protested new identity theft regulations at a hearing, saying the rules to protect customers' credit card numbers and personal information will be too costly and time-consuming in a down economy. The Office of Consumer Affairs and Business Regulation hearing was about again extending deadlines for the rules, which require businesses to encrypt laptops, wirelessly transmitted data and consumers' financial and personal information."

The complaints are ones you'd expect to hear:

"... the identity theft law will impede interstate commerce, hurt job creation, and cost too much for small businesses who have to hire outside technology support and upgrade their systems."

Some experts estimated the cost at $50,000 for a small business to comply with the new law. The Massachusetts Government estimated the cost at $10,000 for operation and maintenance in the first year. The companies asked the Massachusetts Government to reissue new regulations on May 1, 2009 and give them two years to comply.

Two years? I can see some foot-dragging due to the recessionary economy. However, business-as-usual just won't work. 2008 saw a record number of data breach incidents and records lost or stolen. And that's based on the fact that about 75 percent of companies release the number of records stolen or consumers affected. So, the real numbers are worse.

Plus, the cost of a data breach is rising significantly. These small businesses should compare the cost of compliance to the post-data-breach costs. $50,000 may seem like a lot, but at a $202 post-data breach cost per record, the break-even is only 248 records. Most small businesses probably have more than 248 customers. So, it is less costly for a small business to avoid data breaches by implementing strong data security now, rather than gamble with consumers' sensitive personal data and incur large post-data breach costs later.

Companies have to take responsibility for protecting consumers' sensitive personal data they use and archive: customers, employees, and former employees. While small businesses do not have the resources that large, multinational companies have to implement effective data security methods, business-as-usual won't work. Consumers have even less resources to protect their sensitive data, to pay for credit monitoring ($12 per month or more) and credit repair services (rates vary) after a data breach, and to pay fees to place and life Security Freezes ($5 - 10 per instance) on their credit reports. Plus, many consumers are unemployed.

Business has to pick up its rightful share of implementing data security methods, since they make money by using consumers' data. If this concerns you (and I hope that it does), I encourage you to write to your elected officials and tell them no more delays for small businesses to comply with the new data security laws.