How To Help After Yesterday's Boston Marathon Bombing

I live and work in Boston, Massachusetts. So the horrible event on Monday has hit close to home. I live in the same area of the city as the 8-year-old victim and his family. For me, it feels like 9-11 and the Challenger disaster all rolled up together.

A few people have written to me asking how they can help and if I know of a victim's relief fun. So, I have compiled below a list of the options I have found. I am sure that more options will become available during the coming days:

• Technology Underwriting Greater Good (TUGG) online victim relief fund. At 12:45 pm this afternoon, donations had already reached $35,000 of its $50,000 goal
• A fund has been set up to assist the Richard family, whose 8-year-old-son was killed and who had other family members injured. You can make a donation at Meetinghouse Bank (2250 Dorchester Ave, Dorchester) or at the Vargas & Vargas Insurance agency (1133 Washington Street, Dorchester). Checks and cash accepted. Make checks or money orders payable to: The Richard Family Fund.
• There are several Richard Family Fund. The Boston Business Journal reported a fund by Salem Five Bank.
• The One Fund Boston 2013
• Celese and Sydney Recovery fund
• The NFL New England Patriots Charitable Foundation (in the donation form message field, specify "Boston Marathon')
• Greg Hill Foundation
• Dine out on April 17 to donate to help Boston Marathon bombing victims
• Dustin Mann's InvestorForce online victim relief fund
• April 21 - 27 is National Volunteer Week. To learn more and find a project to volunteer for, visit the Massachusetts Service Alliance website
• According to news reports, the Red Cross currently has plenty of blood supplies. So, no need to give blood now. Visit www.redcrossblood.org to learn more and to schedule a future appointment to give blood.
• Donors to the Salvation Army can specify a location (e.g., city, state, and Zip Code) to direct their donations to.
• The State Of Massachusetts blog maintains a list of resources and contact information
• If you are looking for somebody that was in or near the explosions, there are several resources: the Red Cross Safe And Well listings, and the Google People Finder.
• Anyone with information about the incident can call the Boston Crime Tips hotline (1-800-494-TIPS), or the FBI (1-800-CALL-FBI and select prompt #3). Families of victims can call the Boston Mayor's hotline (617-635-4500).

Of course, do your homework and research a charity or fund before giving. The Better Business Bureau provides safety and giving tips to protect yourself from scammers. The Red Cross offers tips to recover emotionally after a tragedy. BTW, I donated at the above TUGG link, and I feel better.

Know of a victim's recovery or relief fund? Share it below, please.

Michaels Stores Provide Policies And Class Action Notice On Sales Receipts

My wife and many of her friends like to quilt. They regularly visit retail stores and quilt shops for quilting supplies. This past weekend, my wife visited a Michaels store in Massachusetts. After paying (with cash) for her purchases, she received the following sales receipt:

The sales receipt mentions the store's coupon, exchanges, and returns policies, plus a recent class action lawsuit. The Michaels sales receipt says:

"Dear Valued Customer:

Our coupon policy is to accept one coupon per customer per day. Certain exclusions apply. Please review the exclusion on the coupon and speak with the manager on duty for any questions you may have. Thank You.

To return or exchange an item, customer is required to present a valid photo ID that will be swiped/recorded at the time of the return or exchange for return authorization purposes only. Receipt required within 60 days for refund on most products. Alternate rules apply to books, magazines, and technology and custom products. Returns without receipt will receive Store Return Card. Refunded amount will be the lowest sales price of the item within the last 90 days. Return polices are available at Michaels.com and in store."

One coupon per customer per day? That sounds very stingy and customer unfriendly, as if the store really doesn't want to accept any coupons. And, why use the sales receipt to deliver policy information? This seems customer unfriendly. I've seen promotions and contest information on sales receipts, but not detailed policy information. Simply, print the complete information on regular 8.5 x 11 inch sized paper which is more legible; and insert in each customer's bag. Plus, some customers prefer or require large-print notices.

If you compare the returns/exchanges language on the sales receipt to the store's online Return Policy for US residents (there is a separate Return Policy for Canadian residents), you will find that the online policy has additional language. Customers should not assume that the sales receipt mentions the entire return policy.

More importantly, I want to know why Michaels' return/exchange policy requires the scanning and retention of consumers' identification documents (e.g., driver's licenses, state-issued ID's, passports, and military ID's) even when customers have a receipt. This seems customer unfriendly. When a store requires a document like a driver's license to process a return or exchange, the store collects everything on that document: your address, Driver ID number, height, weight, hair and eye color, and birth date.

Does Michaels really need all of this information (e.g., my weight, eye and hair color) to process a return with a valid receipt? This data collection is legal when performed for fraud prevention. There seems to be nothing stopping retailers from using the data collected for other purposes, such as data mining and marketing.

If a consumer has a receipt, that should be all that is necessary. I did some brief checking and at least one' competitor, Jo-Ann Fabric & Craft Stores, does not require IDs for in-store product returns. Smaller local and mom-and-pop fabric/crafts stores probably have more customer-friendly policies, too.

The sales receipt does not mention a privacy policy. It should, since Michaels does have a privacy policy online at its website, with specific additions for residents of California, Nevada, Vermont, and Canada. However, that online privacy policy does not seem to mention its data retention and sharing polices with ID information collected via returns or exchanges.

Given its return/exchange policy, I want to know how long Michaels retains ID information and what other companies (by name) it shares that ID information with -- items a privacy policy typically state. Without a statement in its privacy policy, a retailer can do anything with that data collected. This ID information is very sensitive data. Customers need to know how long a store retains this information and who it is shared with. Otherwise, consumers cannot make an informed choice.

The sales receipt also says (links enabled):

"Michaels Data Breach Class Action (for more information, please go to www.michaelsdatasettlement.com)

Michaels has settled a lawsuit that allowed certain of its customer suffered damages as a result of a data breach at selected Michaels stores between January 1, 2011 and May 12, 2011. Michaels denies all of the claims."

Unfortunately, that last sentence is vague. It refers to claims alleged in the lawsuit and not claims submitted by data breach victims seeking reimbursement for damages. In May 2011, Michaels stores warned customers in Illinois, New Jersey, California, and 15 other states about the data breach. Criminals had reportedly tampered with in-store PIN pads in checkout lines (e.g., skimming) to steal debit and credit card data. Reportedly, 90 PIN pads were initially affected, but the retail chain later replaced about 7,200 PIN pads. About 94,000 consumer accounts were affected.

Browse the list of Michaels stores (Adobe PDF) affected by the data breach. The list included several stores in Massachusetts in Braintree, Burlington, Danvers, Everett, and Hanover. Customers can also visit the Consumer Notices page at the Michaels.com.

Skimming is a worldwide identity theft and fraud problem. Besides supermarkets and retail stores, criminals target bank ATM machines, gas station pumps, and contact-less (e.g., RFID) payment methods. Several states, including California and Washington, have already banned RFID skimming. Stolen debit card and PIN data gives thieves direct access to consumers' checking bank accounts.

The sales receipt also says:

"You are included in the class if you shopped in this Michaels store or in other selected Michaels stores during that period and your Payment Card was swiped on a PIN Pad terminal from which credit or debit card information was stolen. A complete list of affected Michaels stores can be found at www.michaelsdatasettlement.com. Customers whose credit or debit card information was stolen may receive monetary payment for documented unreimbursed monetary damages and/or credit monitoring services. To request such relief, you must submit a claim postmarked by May 25, 2013.

Unless you exclude yourself from the class by March 5, 2013, you will give up the right to ever sue Michaels about the legal claims the settlement resolves. If you stay in the class, you may object to the settlement by March 5, 2013.

The Court will hold a hearing on April 4, 2013, to consider whether to approve the settlement and payment of attorneys' fees and expenses. You may ask to appear and speak at the hearing."

The settlement agreement includes a $600,000 payment by Michaels stores, which could increase to $800,000 depending upon the volume of claims and reimbursements. If the entire $600,000 is not used, then the remainder will be donated to the Starlight Childrens Foundation, which works with seriously ill children.

I'm glad that my wife paid with cash. I hope that she buys her quilting supplies elsewhere in the future, and doesn't have to return or exchange any of her purchases made at Michaels stores.

Fraudsters Target Police Chief With Check Scam

Wicked Local warned consumers about a check scam that targeted the Police Chief at Hingham, Massachusetts. Like many other check scams, the a package arrived snail mail -- in this case, UPS. The package included a letter and bogus $3,000.00 check which appeared to be from a legitimate business. The letter includes instructions to wire money, about $250, to cover supposed taxes and fees.

Police Chief Michael Peraino was suspicious and called the business first to verify the check. The receptionist at the business verified that the check was a fake, as the business had already received many phone calls from consumers.

Fraudsters attempt check scams like this because they receive real money wired to them from each victim long before the victim realizes that the bogus check they deposited in their bank account has bounced. Each victim is out the $250 they wired, the amount of the bogus check, and any bounced-check fees from their bank.

Check scams like this are a reminder for consumers to verify first any check you receive from an unknown organization or person.The Identity Theft Resource Center (ITRC) advises consumers to follow these steps to verify a suspected scam:

1. Contact the company involved directly, using a customer service number you find in the phone book or that you have used in the past.
2. If you were solicited online, contact the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center. Or, contact your local State Attorney General's office.
3. Contact the Federal Trade Commission via phone (877-FTC HELP) or e-mail
4. Avoid scams that appear to use expensive out-of-country telephone numbers. If you are unsure about a telephone number's location, look the number or Area Code using this free decoder.

If you are unsure who the attorney general is in the state where you live, then browse this list. Readers of this blog are familiar with a similar check scam that targeted Craig's List website users.

21 Fung Wah Buses Removed From Service After Failed Inspections

WBZ-TV, the CBS network affiliate in Boston, reported yesterday evening about the results of an investigation by both the station and the State of Massachusetts. After several bus inspections by state officials, 21 of 28 Fung Wah buses have been removed from service.

Reportedly, bus inspectors found:

"... multiple oil leaks from different parts of the engine, and nuts and bolts that weren’t secure. There were also faulty lights, a door with a broken latch and the lack of proper registration on the charter bus hired by Fung Wah... Three of those buses had cracked frames. Inspectors found they had been re-welded and the work wasn’t done properly..."

The bus company had hired charter buses to replace its buses that had been removed from service. The Boston Globe reported:

"The frame cracks, located in the drive axle, rear axle, engine cradle, and other locations, posed serious safety issues, said Ann Berwick, chairwoman of the utilities department."

State inspectors are so concerned, they have asked the Federal government to suspend Fung Wah's operating license until repairs have been made. The Massachusetts Department of Public Utilities (DPU) oversees transportation and public safety.

Fung Wah operates low-cost passenger bus service between Boston and New York City. Some ticket prices are as low as $15 each way. A check of the company's website did not find any mentions of the failed bus inspections.

[Update, 3:15 pm EST: the U.S. Department of Transportation has ordered Fung Wah to cease passenger operations until safety concerns are addressed.]

Boston Police Department Safety Alert About Door-To-Door Sales People

The following alert appeared on November 20, 2012 in the Boston Police Department (BPD) community blog:

"The Boston Police is receiving reports about a door-to-door sales person claiming to work for and represent a company called: Just Energy. At present, the group is allegedly soliciting business in the area of Newcastle Road in Brighton. The Boston Police Department is investigating the authenticity of the group..."

Readers of this blog are familiar with Just Energy. It is a valid company and you can browse its website or Better Business Bureau rating. In the above BPD alert, it seems that a criminal may be posing as a Just Energy representative. The BPD advises consumers to follow these safety tips should you encounter any door-to-door salesperson:

"1. Never open your door automatically to anyone without inquiring as to who it is and what they want.

2. If possible, use a ‘peep hole’ or window to see or identify any person knocking on your door or ringing your door bell.

3. When dealing with a person who shows up at your door unannounced or without prior notification (be it a cable provider, maintenance worker, plumber, salesperson) exercise healthy levels of caution and care before agreeing to anything. If a person shows up at your door without proper notification, promptly ask to see an ID, business card or supervisor’s phone number before conducting any further business. If an individual is unable to provide any of the aforementioned forms of identification, discontinue the interaction."

Safe Shopping Tips For 'Black Friday' And The Holidays

You have probably read or heard about it in either the print, television, or radio advertisements. Many retailers will open early Thanksgiving day night to start the long weekend of shopping including what many refer to as "Black Friday." If you plan to shop, know your rights and shopping tips so you don't get "mugged" by excessive fees.

To help consumers, the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) has developed a holiday shopping guide that explains consumers' rights, the actions retailers are allowed, and shopping tips for the best experience. For example:

"Sale: For the term "sale" to be used in an ad when the actual savings are not stated, the law requires the savings to be at least 10% for items regularly priced $200 or less, and at least 5% for items over $200."

"Restocking Fee: This is a charge deducted from the purchase price when an item is returned, resulting in a partial refund. Sellers must disclose their return policies, including restocking fees, before the initial transaction is completed."

"Layaway: A plan that allows you to pay for a product in installments and receive the merchandise after you have paid in full. A store must fully disclose its policy on layaway plans, including cancellation and return (or non-return) of payments already made."

"Know the seller: Purchasing from a seller you know and trust is the best way to ensure an excellent shopping experience. For unknown web-sites, use an online store review service such as Epinions, BizRate, the Better Business Bureau..."

"Shop smart with a Smartphone: Smartphones allow consumers to keep track of deals, navigate between stores, and compare prices. Check out apps such as Consumer Reports Mobile Shopper and Google Shopper..."

To read the full list of right and tips for consumers, download the "Black Friday Shoppers Guide" (Adobe PDF) or this mobile-friendly version of the same report. Rules for retailers in other states may vary. Check with the consumer affairs agency in your state.

Related posts:

• California Attorney General Notifies Developers Of Mobile Apps In Violation Of State Privacy Laws
• How To Lock Down Your iOS Mobile Device
• Survey: How Mobile Device Users Protect Their Privacy With Mobile Apps
• 5 Things You SHould Know About Prepaid Cards
• Will A Credit Card Or A Debit Card Protect You Better From Fraud?

Mintz Levin Updates Its Listing of States Data Breach Notification Laws

Recently, Mintz Levin updated its listing of states data breach notification laws. The listing, often referred to as the "Mintz Matrix" (Adobe PDF), summarizes the data breach notification laws for 46 states, plus the District of Colombia, the U.S. Virgin Islands, and Puerto Rico.

Within the past few months, the states of Texas and Connecticut have amended their breach notification laws. Alabama, Kentucky, New Mexico and South Dakota do not have any laws about data breach notifications.

Breach notification laws typically describe the kinds of data elements (e.g., Social Security number) that comprise consumers' sensitive personal information, the format (e.g., paper, electronic) of information covered by the laws, the types of information that must be encrypted, the types of businesses and government entities covered by the state's law, and both the time period and methods by which notification must be provided to consumers affected by the data breach.

Mintz Levin is a law firm focusing upon general business, intellectual property, biotechnology, litigation, telecommunications, regulatory issues, and financial planning. Earlier this month, former Massachusetts Governor William F. Weld joined the firm.

States' Attorney Generals Urge Congress To Reject Payday Lender Bill

On Friday, several states' Attorney Generals announced that they had sent a letter to Congressional leaders urging them to oppose HR 6139, known as the Consumer Credit, Access, Innovation, and Modernization Act. The letter read in part:

"Most states have enacted laws and rules to regulate short term lending, including payday loans. Many of these states have chosen to strike a regulatory balance that preserves access to alternative forms of credit while protecting consumers from repeated debt cycles and other pitfalls associated with such products. H.R. 6139 would turn back existing consumer protections... H.R. 6139 would give nonbank financial services providers – including payday lenders, installment lenders, car-title lenders, prepaid-card issuers, check cashers, and others – access to a federal charter issued by the Office of the Comptroller of the Currency. The bill would totally preempt state licensing laws for nonbank financial services providers... In place of state safeguards, the bill would establish only minimal consumer protections... the bill establishes no standards for determining a consumer’s ability to repay. Moreover, the bill would exempt loans with terms of one year or less from the disclosure requirements of the Truth in Lending Act – the universal standard for measuring the true cost of credit – and substitute a cost metric that is confusing and misleading..."

The letter was sent on Friday October 5, 2012 to House Speaker John Boehner, House Minority Leader Nancy Pelosi, Senate Majority Leader Harry Reid, and Senate Minority Leader Mitch McConnell. 41 states' Attorney Generals signed the letter, including Guam and Puerto Rico.

In Congressional testimony during July 2012, the Office of the Comptroller of the Currency (OCC) stated its concerns:

"The effective result of H.R. 6139 would be to create a class of federally chartered companies (National Consumer Credit Corporations, hereinafter referred to as “NCCCs” or “companies”) focused on consumer credit products of the very nature and character that the OCC has found unacceptable based on consumer protection and safety and soundness concerns. In particular, it is our experience that the profitability of many of the types of small dollar, short-term loans that NCCCs would likely seek to offer is dependent on effectively trapping consumers into a cycle of repeat credit transactions, high fees, and unsustainable debt... The bill will result in a decrease in protections for categories of consumers that may be the most vulnerable. We have ample evidence from the recent financial crisis that the goal of enhanced access to financial products and services must be coupled with assurances that those consumers are subject to meaningful consumer protections and that the firms offering those products and services must do so on a prudent, safe, and sound basis. In this regard, the Consumer Financial Protection Bureau (CFPB) has been provided the authority to issue rigorous, uniform, and nationally-applicable consumer protection standards for financial products and services. It is important that the types of products envisioned for NCCCs not be carved out of coverage of CFPB-administered lending standards..."

There are plenty of examples of this cycle of repeat credit transactions, high fees, and unsustainable debt. In February 2009, CBS News reported about the payday lending industry:

"They've now grown into a $59 billion industry. But six states - Arkansas, Georgia, New Hampshire, North Carolina, Ohio and Oregon as well as the District of Columbia - have now effectively banned these loans... there are 24,000 payday lending stores in America - more than Starbucks and McDonald's combined. They provide 19 million American households a quick way to make ends meet... A typical customer takes out about eight payday loans a year..."

CBS News reported in April 2009:

"The payday loan industry, threatened by Congress with extinction, has deployed well-connected lobbyists and hefty sums of campaign cash to key lawmakers to save itself. The strategy has paid off."

This 2011 news report explained how many layday lenders charge unbelievably high interest rates. Last month, the City of San Francisco negotiated a settlement with payday lender Money Mart (a/k/a Loan Mart), which agreed to pay to $7.5 million to reimburse consumers for alleged illegal lending activities and interest rates as high as 400 percent. Consumers eligible to receive reimbursements may receive payments ranging from $20 to $1,800.

The letter caught my interest for three reasons. First, it seems to avoid unnecessarily the CFPB. Second, it mentioned prepaid-card issuers, which this blog has covered extensively. Banks and non-bank prepaid-card issuers have targeted the same market as payday lenders: consumers who have a checking or savings account and not both (e.g., underbanked), or who have neither (e.g., unbanked). About 8 percent of U.S. households are unbanked, and 20 percent are underbanked. Unbanked and underbanked households are typically non-Asian minorities, low-income, young, and unemployed.

Third, anytime a proposed Congressional bill mentions both "modernization" and financial services, a closer inspection is usually wise. (The Graham-Leach Bliley Act, which repealed Glass-Steagall comes to my mind.) Things often get modernized for some, not for others who really needed it, and there are always unintended consequences. One of the OCC's concerns is money-laundering, which is connected to a host of other global ills. Legislation that creates a new class of financial institutions needs to be well constructed, closely reviewed, an adequately discussed publicly.

The Attorney Generals' letter to Congress is available at the Illinois Attorney General website (Adobe PDF). Download H.R. 6139 (Adobe PDF) and see page 24, lines 3 through 8. That's a deal breaker. And, I suggest that you read the full testimony about H.R. 6139 by the OCC Deputy Comptroller of Compliance Policy (Adobe PDF).

Update: Massachusetts 2011 Breach Notification Report

Back in April, this blog discussed the release of the 2011 Data Breach Notification Report (Adobe PDF) by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR). Since then, I further analyzed some of the results from the report. New charts are below.

You may remember that the report covered data breach activity since October 31, 2007, when the state's breach law went into effect. The 2007 law requires businesses that store consumers sensitive personal information to notify the OCABR if they experience or suspect a data breach. In 2009, the state enacted tougher data security rules. In March 2010, the law was amended to require applicable businesses to develop a comprehensive, written information security program and to encrypt certain data.

Some highlights from the report:

• 1,833 data breaches and 3,166,031 Massachusetts residents affected since November 1, 2007
• Notable data breaches during 2011: Sony Playstation, Michael's craft stores, Departments of Unemployment Assistance and Career Services
• Industries with the most data breaches include financial service, health care, education, and state government
• While the number of breaches are evenly split between malicious and non-malicious categories, on average malicious data breaches affect a larger number of residents with each breach compared to non-malicious breaches
• On average, breaches where information is stored in electronic formats are substantially larger than breaches where information is stored in paper format

Breach history (number of data breaches):

Year	Malicious Breaches		Non-Malicious Breaches		Total Breaches
	#	% of Total		% Of Total
2007	11	44%	14	56%	25
2008	257	55%	214	45%	471
2008	261	61%	170	39%	431
2010	161	36%	291	64%	452
2011	241	53%	213	47%	454
Total	931	51%	902	49%	1,833
The non-malicious category includes breaches where, "... either negligence or mistakes by employees or third-party contracgtors resulted in exposing personal information..."

The malicious category includes breaches:

"... made by disgruntled former employees of businesses which held personal information who either retained access to data, or used the access codes of a former coworker to gain access."

The average number of residents affected per data breach:

Year	Malicious Breaches	Non-Malicious Breaches	Total Average Residents/Breach
2007	372	356	363
2008	1,009	2,139	1,522
2008	1,337	209	892
2010	5,757	374	2,291
2011	3,811	421	2,221
Total	2,640	773	1,721

Breach activity based on the storage format of the information:

Year	Electronic		Paper
	# Breaches	Residents / Breach	# Breaches	Residents / Breach
2007	20	432	7	16
2008	331	2,112	81	21
2008	324	1,074	106	54
2010	326	2,912	143	437
2011	364	2,954	106	140
Total	1,365	2,256	443	192

The number of breaches by industry:

Industry	Breaches: 2011	Breaches: 2007 - 2011
Commercial	19	43
Education	24	101
Entertainment	10	30
Federal Government	--	1
Financial Services	257	955
Food & Beverage	5	35
Health Care	63	214
Local Government	2	7
Manufacturing	4	29
Not-For-Profit	4	30
Other	36	164
Pharmaceutical	1	16
Retail	2	21
State Government	18	87
Technology	12	79
Telecommunications	2	17
Trade Union	--	4
Total	459	1,833

Mintz Levin: Breach Notification Laws In The United States

The law firm of Mintz Levin has produced a report listing data breach notification laws in the United States as of June 1, 2012. The report includes details by state, and includes the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. Typically, breach notification laws include a:

• Description of the personal information that must be protected
• List of the businesses, organizations, and state/local agencies that must comply with the state's breach notification law
• Process for the timing, content, and distibution of a breach notification
• Any exceptions to the law (e.g., encrypted files)
• Other provisions and applicable state laws
• Penalties for violations
• Whether breach victims (e.g., state residents) can sue, and if so against whom

Four states do not have any breach notification laws:

• Alabama
• Kentucky
• New Mexico
• South Dakota

If you live in one of these states, contact your elected officials and demand that your state pass a breach notification law. When companies or government agencies have consumers' sensitive personal information lost or stolen, you need to know to protect yourself.

The report is also available here (Adobe PDF, 469 k bytes).

South Shore Hospital To Pay $750,000 In 2010 Breach Settlement

Yesterday, South Shore Hospital and the Massachusetts Attorney General's Office both announced a settlement agreement regarding the hospital's 2010 data breach. the breach exposed the sensitive personal and medical information of 800,000 current and former patients, plus patients at Harbor Medical Associates and South Shore Physician Hospital Organization.

In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes to an off-site vendor, Archive Data Solutions, for erasure. The boxes contained the records of 800,000 patients. According to AAG Coakley's office, the hospital failed to inform Archive Data that boxes contained sensitive personal protected health information. Nor did the hospital determine whether Archive Data had sufficient data security methods to protect this sensitive information.

In June 2010, the hospital learned that only one of the boxes, shipped via several companies, arrived at its destination in Texas. The missing boxes have not been recovered. In a statement, AG Coakley emphasized:

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form... It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

According to terms of the settlement approved in Suffolk Superior Court, the hospital will pay a $750,000 fine which includes a $250,000 penalty and $225,000 for a data security education fund. The Massachusetts Attorney General's office will use the education fund to:

"... promote education concerning the protection of personal information and protected health information."

The payment is also reduced by $275,000 for expenses the hospital has already made for data security improvements. The HIPAA Privacy Rule specifies which health care organizations must comply with certain data security standards. the rule also defines what "protected health information" is: personally identifiable health care information in any format (e.g., print, electronic).

Report Analyzes Breach Notifications Affecting Massachusetts Residents

Last week, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) released its findings from an analysis of four years of data breach notifications reported to the state. A chief finding was that sensitive data often was not encrypted.

Any businesses or entities storing consumers' personal information has been required since Oct. 31, 2007 to report data breaches to the OCABR. Through September 30, 2011, the OCABR received 1,833 breach notices affecting about 3.2 mikllion people, or an average breach size of 1,727 stolen or lost records. 73% (1,336) of the breaches involved electronic files and affected 97% of breach victims.

The financial services industry reported the most breaches (955) during the last four years, affecting 901,156 people. Most of these breaches were the credit- and debit-card transactions at processing centers and retail stores. The health care industry has had fewer breaches (214), but affected far more people ( 983,746), including the South Shore Hospital breach in 2010.

In March 2010, new laws went into effect requiring entities that store, own, or license personal information about Massachusetts residents to develop, implement, and maintain a comprehensive written information security program (WISP) describing how it will protect sensitive information. the new law required entities to encrypt sensitive information if it is transmitted over public networks, the Internet, or carried on portable devices.

The of breaches each year have remained pretty steady, ranging from a low of about 415 to a high of about 470. Other findings:

"... stolen or lost portable electronic devices are most often not secure. Of the 365 devices reported lost or stolen, only 13 were encrypted. The lost devices led to exposure for 409,572 people. By contrast, the 27 encrypted machines kept information secure for 24,269 people... of the 75 lost or misplaced portable devices reported; only one was encrypted, compromising 1.2 million pieces of information. Of the 290 stolen portable devices stolen, 12 were encrypted, protecting 4,110 pieces of information. The 277 unencrypted devices exposed 220,000 pieces of information."

The types of devices lost/stolen included desktop computers and computer tapes. The types of portable devices lost or stolen included laptop computers, thumb drives, and storage discs (CDs). The report concluded:

"If all portable devices were encrypted from 2007 to 2011, the number of residents whose personal information was compromised would be remarkably lower by 47 % or 1,490,308 people. If all portable devices were encrypted from march 1, 2010 the number of compromised residents would have decreased by 29 percent or 909,992 people... compliance with the encryption requirement is a powerful to to safeguard the personal information of millions of residents"

Download the OCABR data breach report (Adobe PDF, 948K bytes).

Report Warns Proposed MBTA Cuts Would Hamper Boston Metro Area's Economy, Jobs And Growth

A Better City (ABC), a nonprofit transportation advocacy organization, has released a position paper about the fare increases and services cuts proposed by the MBTA. ABC analyzed both proposals by the MBTA to close a $161 million budget deficit forecast for the fiscal year beginning July 1, 2012. In its paper, ABC concluded:

"... the T should seek to close part of its budget gap with a more reasonable fare hike and limited service cuts. The T should then work with MassDOT, Massport, the Patrick administration and the legislature to address the remaining budget shortfall for FY 2013, and to begin work on a long-term, comprehensive finance plan for the Commonwealth’s entire transportation system."

The MBTA had proposed service cuts including the termination of late night and weekend commuter rail service, weekend "E" Green Line service, Mattapan Line, many bus routes, and all ferry service. About these cuts, ABC stated:

"... The T should not cut Commuter Rail service after 10pm and on weekends, nor should it cut weekend service on the E Branch of the Green Line or the Mattapan Trolley. Commuter boat service should be preserved, with a lower public subsidy and operated under the auspices of Massport. Due to the severe impact on riders, bus route service eliminations or reductions should be limited to the ten least efficient routes in the system. Going forward, the T should adopt more stringent and rational service planning criteria across all modes and commit to adjusting service accordingly."

According to ABC, everyday the Boston's population doubles as people commute to work. 55% of those work trips, and 45% of all MBTA trips, include commuting to work. The service cuts proposed by the MBTA would make it difficult for employees to get to work, employers to staff positions, patients to visit doctors and hospitals, and customers to visit entertainment venues:

"Across all sectors, ABC member businesses told us they are concerned about the impact that fare hikes and service cuts would have on their employees’ ability to get to work. Some of our members in the hospitality industry noted that the T’s current service hours are not adequate for employees working odd shifts... The viability of T service, then, has a direct impact on the size of this industry’s job shed, and particularly on the job prospects of low-skilled workers... The health care industry operates 24 hours a day, 7 days a week, and the hospitals of the Longwood Medical Area would be particularly impacted by the proposed service cuts to the Green Line E Branch and the Commuter Rail. These cuts would impact the ability not only of doctors, nurses and support staff to get to their jobs, but also of patients to make their appointments... These businesses have also deployed flexible scheduling and staggered shifts to best utilize their real estate and cope with our already-congested transportation network."

The service cuts would force more autos onto already congested roads, resulting in:

"... 55,000 and 92,000 more cars on the road daily... if there were no public transportation in the Boston area, the additional traffic congestion would cost the regional economy $663 million annually. Based on this estimate, if one-tenth of the T’s current ridership elect to abandon the T and drive their commutes... the additional congestion could cost Massachusetts $66 million a year."

Parking around the city, already a problem, would become worse as more people drive and many parking lots are replaced by office buildings:

"ABC members located in the South Boston Waterfront were particularly concerned that changes at the T would increase demand for parking at a time when large lots currently used by commuters to the Waterfront and to the Financial District are slated to be developed over the next decade. South Boston, East Boston and Downtown are all subject to Parking Freezes. The City of Cambridge also enforces a Parking and Transportation Demand Management ordinance. These policies, implemented to curb air pollution, have made both cities heavily reliant on transit to support future economic growth..."

The higher education industry would be similarly affected:

"... increased demand for parking is at odds with their plans to expand. UMass Boston is a commuter school with a 45% transit share. It’s attempting to increase that number to 60% so that it can utilize its surface parking lots for staging construction of new campus buildings. Boston University, which purchases $2.1 million in T passes for faculty, staff and students, and spends $1.6 million operating its shuttle service, is also planning to reduce its parking spaces in order to make room for new construction. T fare hikes and service cuts will make it harder for both these institutions to grow..."

The entertainment and tourism industries would be similarly affected:

"The proposed cuts to evening and weekend Commuter Rail service would have a significant impact on fans’ and patrons’ ability to get into and out of the city for games, concerts and other cultural events."

ABC suggests that the MBTA:

• Limit its fare increase to 25% and pursue smaller, more frequent increases,
• Maintain commuter rail, trolley, and ferry services,
• Cut only the "10 worst" bus lines,
• Better match resources (e.g., buses and trains) to demand

ounded in 1989 as the Artery Business Committee, A Better City is a nonprofit association representing Greater Boston’s business and institutional community on transportation, land development and environmental sustainability. Download the ABC position paper (Adobe PDF, 1.9M Bytes), which is also available here (Adobe PDF, 1.9M Bytes).

Bank Of America To Test New Fees

After consumer backlash last fall forced it to abandon plans to add fees for consumer debit card accouns, the Bank of America is now testing new fees for checking accounts in three states: Arizona, Georgia, and Massachusetts. Reportedly, the new monthly fees apply only to new accounts and range from $9 to $25 depending upon the consumer's account balance.

Meanwhile, the Massachusetts Secretary of State Galvin seeks legislation for national banks operating within the state to offer free checking accounts for young adults under 19 years of age and elders ages 65 and older. Galvin wants to prohibit these banks from holding state and local government deposits unless they offer free checking for these two groups. State-chartered banks in Massachusetts are already required by law to offer free checking to these two groups.

To learn more, visit the banking authority for your state.

Boston Transit Authority Seeks Public Feedback About Proposed Fare And Service Changes (Part Two)

A prior blog post described a local community meeting held by officials from the MBTA, Boston's transit authority, to collect feedback from the public about which of two fare and service proposals to proceed with. At that meeting, I shared my views about the situation. Earlier this week, a local community meeting drew a large protest:

I have used the “T” subways for many years to commute from home to work in Boston. While living in the Waltham suburb, I used MBTA commuter rail, express buses, and local buses to commute to work. Other mass transit systems I have used:

• While growing up and working in New York City: its MTA buses and subways,
• During college, the bus system in Rochester (NY),
• During graduate study, the elevated trains in Chicago (IL)
• While vacationing in Germany, both the high-speed intra-city rail system and the subway in Cologne,
• While temporarily working in London, its underground and bus systems, and
• While vacationing in Los Angeles, its subway system.

So, I have had plenty of experience using a variety of mass transit systems. I like using mass transit and prefer it over autos.

I read the Information Booklet (Adobe PDF) the MBTA distributed with its two proposed scenarios. I have several concerns.

First, the brochure did not mention nor address the impact upon local small businesses, jobs, and employment. Most Boston residents use the "T" system to get to work or to school. Many use it to shop a businesses within the city. The local community meeting in Dorchester highlighted the fact that many residents (e.g., students, elders and retirees) don't have cars or an alternate means of transportation. They rely on the MBTA.

The large number of service terminations (e.g., bus routes, ferries, "E" line on weekends) spell a disaster for small and local businesses in those areas, who both hire residents as employees and depend upon those residents as customers.

Commuter rail service terminations after 10 pm will likely affect businesses that operate after 10:00 pm. Not just large businesses like the TD North Garden, but numerous small businesses. At the local community meeting I attended, numerous residents shared their feedback about how bus route terminations (e.g., 101 routes in scenario #2) will affect them. Students (e.g., youth) and residents on fixed incomes -- with no alternate transportation -- will be severly affected. Secondary and higher education are huge industries in the Boston metro area. The MBTA proposals don't and should mention how these industries would be affected by the fare increases and service terminations. When service terminations force students to walk to school, there are additional safety issues.

Consumers frequent businesses they can easily and reliably get to. All of the proposed terminations make it more difficult and unreliable for MBTA users -- employees and customers -- to use the MBTA.

It seems that either the MBTA has not considered the impacts upon local businesses and jobs, or does not wish to discuss them. This is odd because the MBTA developed an impact analysis (Adobe PDF) that projected declining air quality from greater auto usage due to service terminations. This is odd because the Big Dig project considered the needs of local businesses along its construction paths:

"But the state had a new task, one that would become a feature of big infrastructure projects nationwide: “mitigation.” Broadly speaking, mitigation was the state’s promise to alleviate the Big Dig’s impact on Boston, from interrupting business to harming the environment. Mitigation eventually accounted for about one-third of the Big Dig’s cost..."

The MBTA needs to do something similar, since it is integral to the health and efficient functioning of the city.

Will students continue to apply to secondary and higher education schools in the area, or will the fare increases and service terminations negatively affect applications? It would be huge disservice if the solution to the MBTA's fiscal mess happened at the expense of the community. There has to be balance.

Second, the MBTA documents did not present utilization rates of the bus routes scheduled for termination. These facts are critical toward evaluating the service cuts. Residents cannot provide informed feedback about the MBTA's proposals without inputs about utilization, the impacts upon employment, and upon jobs.

So, the MBTA has asked the public to "choose the better option," but has not provided all relevant data for the public to make informed choices. That is unfair.

Third, the $4.5 billion debt level and fare comparisons with other cities (Adobe PDF) suggests that a fare is warranted. However, this doesn't give the MBTA a free pass on transparency. I expect the MBTA to do a better job of being transparent about efforts to wring waste out of your system. The documents provided are insufficient.

I talked with MBTA employees (who requested anonymity), and they told me clearly that:

• The MBTA rents a lot of properties it never uses or under utilizes. These properties should be sold or used to increase revenues.
• Better utilization could include options such as power generation (e.g., wind turbines installed on building rooftops) to generate revenue or lower energy costs.
• There are internal human resource programs that cost a lot and drive questionable results.
• Many highways have "aopted a highway mile" programs. The MBTA has not seemed to consider innovative solutions such as this (e.g., 'adopt a station") or similar programs.

Frankly, I don't believe that the MBTA has wrung all of the waste out of its system. Rather, the MBTA seems to take the easy route: raise revenues by raising fares on customers, many of whom are poor and can least afford the proposed fare increases.

Fourth, your proposed fare increases and service terminations seem woefully short-sighted. What about a year from now? How does this solution avoid the situation where we have to revisit your fiscal concerns in a year or two. What about a long-term focus on being environmentally conscious? The proposed solutions don't address this.

The solution for the MBTA's fiscal mess needs to better balance long-term and short-term needs, fit with the city's need to remain competitive and efficient, and fit with the public's desire to use its mass transit system in environmentally friendly ways. My bottom line: the fiscal “cure” should not be worse than the debt “disease.” The surgery should not kill the patient.

Boston Transit Authority Seeks Public Feedback About Proposed Fare And Service Changes

I live and work in Boston. Like many cities in America, Boston's mass transit system faces financial obstacles. In January, the Massachusetts Bay Transit Authority (MBTA) proposed several changes to close its projected operating deficits.

The proposed changes included two scenarios. One scenario includes larger average fare increases with fewer service cuts. the second scenario includes smaller average fare increases with many more service cuts:

	Scenario 1	Scenario 2
Fare Increase	43%	35%
LinkPass	$80	$78
Bus Services Eliminated	23 weekday routes	101 weekday routes
Services eliminated	late night & weekend commuter rail; weekend "E" line; Mattapan line; Ferry
Parking rates increase	28%	20%
Ridership impacts	34-49 million annual trips = 9 - 13%	53-64 million annual trips = 14 - 17%

The current Linkpass fare is about $59. The information brochure (Adobe PDF) about the proposed fare and service changes is available at the MBTA website. The MBTA estimates a $161 million budget deficit in fiscal year 2013. It has a $5.2 billion debt load, which equates $450 million in debt payments each year. Those debt payments equal fare revenues.

In some instances, fares would increase more than 100%. The MBTA compared its fares to transit systems in other American cities (Adobe PDF). The MBTA also prepared an impact analysis document, which concluded that the service cuts will result in poorer air quality.

To collect feedback from the public about which scenario is best, the MBTA is conducting a series of meetings around Boston and in the suburb communities it serves. I attended a Thursday, February 2 session at the Dorchester House Multi-Service Center in Boston's Dorchester community. About 250 residents attended. It was good to see a strong turnout at a midday 1:00 pm session. No apathy here!

Caption: residents speak at the February 2 MBTA meeting at the Dorchester House

An MBTA official briefly presented its public presentation about the proposed changes (Adobe PDF). Most of the two-hour meeting was reserved for residents to speak. A variety of residents spoke: working adults, teenagers, college students, elders, they physically challenged, and retirees. During the session, I saw about 50 residents speak.

A common theme voiced by residents was that the fare increases under both scenarios were steep; many couldn't afford them. Many residents don't have a car, or alternate travel means, and rely on MBTA travel services. Students and retirees have limited incomes, if any, and both the fare increases and service cuts (e.g., buses) would greatly affect them.

MBTA officials handed out a printed statement from Boston Mayor Thomas Menino, which read in part:

"The MBTA provides absolutely critical services to Boston residents, commuters, and visitors. As a transportation hub and economic engine of the region, Boston is uniquely affected by the state of our public transit system... Many administrations have simply passed the buck onto the next administration -- and now the MBTA must find a way to operate with an enormous structural deficit. However, riders should not be forced to shoulder the entire weight of the debt..."

I did not see any reporters from the news media. Several activist groups attended the meeting, spoke, and handed out flyers. The groups included the Coalition to Fund Our Communities, Transportation For Massachusetts, Socialist Equality Party, and Global Exchange. So, there are plenty of ways for residents to get involved and have your voices heard. Contact your elected Massachusetts state representatives today!

The MBTA has scheduled upcoming community meetings for:

• Monday, February 6: Lowell
• Tuesday, February 7: Lynn
• Wednesday, February 8:, Boston (West End) and Hingham
• Monday, February 13: Boston
• Tuesday, February 14: Framingham
• Wednesday, February 15: Quincy
• Thursday, February 16: Malden
• Tuesday, February 28: Somerville
• Wednesday, February 29: Cambridge
• Thursday, March 1: Waltham
• Tuesday, March 6: Brockton

Visit the MBTA website for exact meeting locations.

Massachusetts Attorney General Sues Five Banks For Alleged Foreclosure and Loan Servicing Abuses

Earlier this month, the Massachusetts Attorney General's office filed a complaint against five national banks for alleged abuses involving fraudulent documentation in home foreclosures (commonly referred to as “robo-signing”), foreclosing without holding the actual mortgage, and failing to uphold loan modification promises to Massachusetts homeowners. The banks named in the lawsuit:

• Bank Of America, N.A. (and its BAC Home Loans Servicing LP subsidiary, formerly Countrywide),
• JP Morgan Chase Bank, N.A.,
• CitiBank, N.A. (and its CitiMortgage subsidiary),
• GMAC Mortgage, LLC, and
• Wells Fargo Bank, N.A.

Also named in the complaint (Adobe PDF, 4.1 MBytes) was MERSCORP, Inc. which owns and operates the MERS System, a national registry that tracks ownership and servicing rights in residential mortgages loans. The Massachusetts AG alleged:

"... the banks used false documentation in the foreclosure process, including so-called “robo-signing”, whereby bank personnel signed affidavits that were untrue, or not based on the signor’s actual knowledge. An entity wishing to foreclose on a property must demonstrate it has filed an affidavit in compliance with Massachusetts law... Filings with various Registers of Deeds provided to the Attorney General’s Office revealed the pervasive use of mortgage service employees to sign hundreds of affidavits and sworn statements without personal knowledge of the information contained in those affidavits. Evidence also suggests these practices were not confined to the foreclosure process, but also used in the assignment, transfer and modification of mortgages..."

About alleged foreclosure abuses:

"... these five entities participated in unlawful foreclosures when they commenced foreclosures on mortgages where they were not the holders of those mortgages. The Supreme Judicial Court (SJC), in Commonwealth v Ibanez, recently upheld Massachusetts law and stated that “only the present holder of a mortgage is authorized to foreclose on the mortgaged property.” The complaint alleges that these entities ignored this fundamental legal mandate and proceeded to foreclosure even though they did not hold the mortgage... The banks’ failure to obtain a valid assignment of the mortgage prior to foreclosure has adversely impacted titles to hundreds, if not thousands, of properties..."

And, about alleged failures regarding home loan modifications:

"... the banks deceived and misrepresented to borrowers the process, requirements, and availability of loan modifications. The banks publicly claimed to be engaged in widespread loan modifications aimed at preserving home ownership and avoiding unnecessary foreclosures. Through the National Homeownership Retention Program, which commenced on November 6, 2008, these banks represented that they would work with borrowers to help them avoid unnecessary foreclosures by reducing monthly mortgage payments to affordable and sustainable levels. The complaint alleges these banks misled borrowers about their eligibility for this program and the amount of relief available, failed to achieve a significant level of modifications, and often strung along borrowers for months in trial modifications that were ultimately rejected."

How To File A Complaint About A Bank

Recently, a friend posted this status message on Facebook:

"How does Bank of America stay in business? They continue to threaten and harass even after I have been assured that all issues have been resolved! Issues, by the way, created by their own incompetence! Who do I lodge a complaint with?"

Consumers have several resources to help them with filing a complaint about a bank. Since my friend lives in Massachusetts, first I directed her to the Massachusetts Division of Banks, which regulates banks that operate within the state. This can include help with or submitting a complaint about abuses involving mortgage foreclosures or checking/savings accounts.

If your "banking" problem includes stock or securities fraud, then consumers should consider filing a complaint with the Massachusetts Secretary of State. The responsibility of this administrative agency varies across states, and is based upon the constitution and laws of your state. In Massachusetts, the Secretary of State's office manages several important functions including investment securities, deeds, registration of corporations, elections, and public records.

If you live in a different state, then you can search online for the consumer protection bureau or consumer complaint board within your state that regulates banks. Most states have one.

A second resource is the Federal Deposit Insurance Company (FDIC), which insures banks and financial institutions operating within the USA. The link to the consumer complaint form is conveniently on the FDIC home page.

Sometimes, the problem includes both a bank and a retail company. Then, it is appropriate to submit a complaint the U.S. Federal Trade Commission (FTC), which regulates the activities of retail companies operating within the USA. It is appropriate for consumers to file complaints about deceptive marketing tactics, scams, identity theft, and other topics. The FTC operates a very comprehensive complaint process and database.

If your phone number is registered in the Do Not Call Registry and you belive a company has violated that telemarketing law, then you should file a complaint at the Do Not Call Registry website.

Related articles in this blog which you may also find helpful:

• How To Check Your Insurance Company's Complaint Record
• Received Poor Customer Service? How To Complain Effectively

Unannounced Changes To The MBTA Charlie Card System

I love using mass transit. It's the environment-friendly choice.

I use the subway frequently. Most of the time, the MBTA here in Boston works pretty well. The re-loadable payment cards are really convenient. However, a recent change by the MBTA left me inconvenienced and puzzled.

If you use a Charlie Card, then pay attention. It seems that the MBTA modified their payment card systems... and didn't tell their customers. You may find that your Charlie Card abruptly stops working. Several friends have reported this. If your card stops working, don't throw it out. Here's why.

Look at the identification number on the bottom front of your Charlie Card. If it is printed in red font, then your card is one of the defective ones. The cards with black font work. I suspect that the font type is just a symptom of an underlying problem with the card's internal magnetic encoding.

The MBTA management is strangely silent on the subject.

The cynic in me wonders if the MBTA is hoping to enjoy a windfall of cash when customers discard in the trash their non-working Charlie Cards. Don't throw out your defective Charlie Card. Visit one of the MBTA customer service offices and demand a working replacement. You'll get one with the same amount of stored value which was on your old card.

I spent a half hour this afternoon doing just that at the MBTA Customer Service desk at the Downtown Crossing Red Line station. The customer service rep was very polite. She was able to easily and quickly read the stored value on my defective card, and provide a replacement. By her attitude, it seems that she has encountered this situation before.

So, a word to the wise. You have been warned. Maybe next time, MBTA management will be proactive and alert its customers. If you have experienced a problem with your Charlie Card, share your story below.

Congressional Representatives Ask FTC To Investigate Companies Online Tracking Practice With "Supercookies"

On September 27, Congressional representatives Joe Barton (R-Texas) and Edward J. Markey (D-Mass.), Co-Chairmen of the House Bi-Partisan Privacy Caucus, sent a letter to the U.S. Federal Trade Commission (FTC) asking the agency to investigate “supercookies,” files that can be installed on consumers' computers without their knowledge or consent. Websites use supercookies to collect detailed personal information about consumers and to track consumers' online usage across the Internet.

Supercookies represent the latest effort in the Internet technology race for companies to track consumers' online behaviors versus consumers' need for privacy. First there were browser cookies, which were fairly simple text files websites used to recognize whether or user had visited that website before -- without requiring the user to identify their self.

As consumer awareness increased about the tracking and privacy issues with web browser cookies, some companies began to use the Flash cookies, with the Flash technology, to track and store consumer information data, since most consumers have the Flash plugin installed with their web browsers. As consumers supported "do not track" legislation and began using "do not track" options with their web browsers to delete standard browser cookies, some companies began using "zombie cookies"-- a tracking method to both save tracking information within other folders on consumers' computers and to continually regenerate standard web browser cookies deleted by consumers.

Most recently, some companies began using "zombie e-tags." The term "supercookies" seems to be a catch-all term for both covert tracking approaches: "zombie cookies" and "zombie e-tags." According to PrivateWiFi:

"... supercookie files can store more information than a normal cookie and can sometimes be stored in different places than regular cookies, such as a file used by a plugin (such as Flash), which makes them harder to identify and remove. In addition, some supercookies have the capability of regenerating regular cookies to prevent their removal. Supercookies track things differently from ordinary cookies. A normal cookie can be written, read and ultimately removed by the website that created it. However, the supercookie operates much more stealthily by tracking and recording user behavior across multiple sites. It’s ethically questionable that a website should be able to record a user’s actions beyond its borders. Websites that have been found to use supercookies include MSN.com, Hulu.com, and Flixster.com."

The ethics is definitely an issue. Is it ethical for a website, like Hulu.com or Facebook.com, to track consumers' usage beyond their websites and across the entire Internet? Perhaps, it is okay if the website policies are transparent, provide legible notice, and gain consumers' opt-in consent first. So, the letter by Barton and Markey is very timely and appropriate. Their September 26 letter read in part:

"As C-Chairs of the Congressional Bi-Partisan Privacy Caucus, we believe this new business practice raises serious privacy concerns and is unacceptable. We are also very concerned about the extent of this practice by websites as well as the impact supercookies have on consumers. Furthermore, we believe the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for the misuse of personal information, and provides another way for consumers to be tracked online. In an effort to protect consumers, we are interested in any actions the Federal Trade Commission (FTC) has taken or plans to take to investigate the usage and impact of supercookies on the Internet and consumers. We believe that an investigation of the usage of supercookies would fall within the FTC’s mandate as stipulated in Section 5 of the Federal Trade Commission Act with respect to protecting Americans from ‘unfair and deceptive acts or practices.’”

Read the full text of the letter by Barton and Markey (PDF).

What I'd really like to see is legislation that requires companies to fully disclose their tracking methods and the precise data collected, much like labels on food attempt to descibe what is in the packaging. Why? It's all about consumer trust.

Similar to food, ingredients will change. For the Internet, tracking technologies will change. And change quickly, too. Yesterday's browser cookies morphed into "zombie cookies" and "super cookies," which has morphed again into "zombie e-tags." So, the companies' website terms-of-use and privacy policy should explain in simple English:

1. The tracking technologies (e.g., hardware and software) currently used,
2. The names of all affiliate companies and business partners they do business with for #1,
3. The services, products, software, and consumer dinformation exchanged in #2,
4. The length of time the data collected in #3 is archived,
5. The anonymization process used, and verified by an independent third-party, and
6. A large, easy-to-find and easy-to-understand opt-in button, because the program only includes consumers who choose to opt-in or register.