South Shore Hospital To Pay $750,000 In 2010 Breach Settlement

Yesterday, South Shore Hospital and the Massachusetts Attorney General's Office both announced a settlement agreement regarding the hospital's 2010 data breach. the breach exposed the sensitive personal and medical information of 800,000 current and former patients, plus patients at Harbor Medical Associates and South Shore Physician Hospital Organization.

In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes to an off-site vendor, Archive Data Solutions, for erasure. The boxes contained the records of 800,000 patients. According to AAG Coakley's office, the hospital failed to inform Archive Data that boxes contained sensitive personal protected health information. Nor did the hospital determine whether Archive Data had sufficient data security methods to protect this sensitive information.

In June 2010, the hospital learned that only one of the boxes, shipped via several companies, arrived at its destination in Texas. The missing boxes have not been recovered. In a statement, AG Coakley emphasized:

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form... It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

According to terms of the settlement approved in Suffolk Superior Court, the hospital will pay a $750,000 fine which includes a $250,000 penalty and $225,000 for a data security education fund. The Massachusetts Attorney General's office will use the education fund to:

"... promote education concerning the protection of personal information and protected health information."

The payment is also reduced by $275,000 for expenses the hospital has already made for data security improvements. The HIPAA Privacy Rule specifies which health care organizations must comply with certain data security standards. the rule also defines what "protected health information" is: personally identifiable health care information in any format (e.g., print, electronic).

Report Analyzes Breach Notifications Affecting Massachusetts Residents

Last week, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) released its findings from an analysis of four years of data breach notifications reported to the state. A chief finding was that sensitive data often was not encrypted.

Any businesses or entities storing consumers' personal information has been required since Oct. 31, 2007 to report data breaches to the OCABR. Through September 30, 2011, the OCABR received 1,833 breach notices affecting about 3.2 mikllion people, or an average breach size of 1,727 stolen or lost records. 73% (1,336) of the breaches involved electronic files and affected 97% of breach victims.

The financial services industry reported the most breaches (955) during the last four years, affecting 901,156 people. Most of these breaches were the credit- and debit-card transactions at processing centers and retail stores. The health care industry has had fewer breaches (214), but affected far more people ( 983,746), including the South Shore Hospital breach in 2010.

In March 2010, new laws went into effect requiring entities that store, own, or license personal information about Massachusetts residents to develop, implement, and maintain a comprehensive written information security program (WISP) describing how it will protect sensitive information. the new law required entities to encrypt sensitive information if it is transmitted over public networks, the Internet, or carried on portable devices.

The of breaches each year have remained pretty steady, ranging from a low of about 415 to a high of about 470. Other findings:

"... stolen or lost portable electronic devices are most often not secure. Of the 365 devices reported lost or stolen, only 13 were encrypted. The lost devices led to exposure for 409,572 people. By contrast, the 27 encrypted machines kept information secure for 24,269 people... of the 75 lost or misplaced portable devices reported; only one was encrypted, compromising 1.2 million pieces of information. Of the 290 stolen portable devices stolen, 12 were encrypted, protecting 4,110 pieces of information. The 277 unencrypted devices exposed 220,000 pieces of information."

The types of devices lost/stolen included desktop computers and computer tapes. The types of portable devices lost or stolen included laptop computers, thumb drives, and storage discs (CDs). The report concluded:

"If all portable devices were encrypted from 2007 to 2011, the number of residents whose personal information was compromised would be remarkably lower by 47 % or 1,490,308 people. If all portable devices were encrypted from march 1, 2010 the number of compromised residents would have decreased by 29 percent or 909,992 people... compliance with the encryption requirement is a powerful to to safeguard the personal information of millions of residents"

Download the OCABR data breach report (Adobe PDF, 948K bytes).

Report Warns Proposed MBTA Cuts Would Hamper Boston Metro Area's Economy, Jobs And Growth

A Better City (ABC), a nonprofit transportation advocacy organization, has released a position paper about the fare increases and services cuts proposed by the MBTA. ABC analyzed both proposals by the MBTA to close a $161 million budget deficit forecast for the fiscal year beginning July 1, 2012. In its paper, ABC concluded:

"... the T should seek to close part of its budget gap with a more reasonable fare hike and limited service cuts. The T should then work with MassDOT, Massport, the Patrick administration and the legislature to address the remaining budget shortfall for FY 2013, and to begin work on a long-term, comprehensive finance plan for the Commonwealth’s entire transportation system."

The MBTA had proposed service cuts including the termination of late night and weekend commuter rail service, weekend "E" Green Line service, Mattapan Line, many bus routes, and all ferry service. About these cuts, ABC stated:

"... The T should not cut Commuter Rail service after 10pm and on weekends, nor should it cut weekend service on the E Branch of the Green Line or the Mattapan Trolley. Commuter boat service should be preserved, with a lower public subsidy and operated under the auspices of Massport. Due to the severe impact on riders, bus route service eliminations or reductions should be limited to the ten least efficient routes in the system. Going forward, the T should adopt more stringent and rational service planning criteria across all modes and commit to adjusting service accordingly."

According to ABC, everyday the Boston's population doubles as people commute to work. 55% of those work trips, and 45% of all MBTA trips, include commuting to work. The service cuts proposed by the MBTA would make it difficult for employees to get to work, employers to staff positions, patients to visit doctors and hospitals, and customers to visit entertainment venues:

"Across all sectors, ABC member businesses told us they are concerned about the impact that fare hikes and service cuts would have on their employees’ ability to get to work. Some of our members in the hospitality industry noted that the T’s current service hours are not adequate for employees working odd shifts... The viability of T service, then, has a direct impact on the size of this industry’s job shed, and particularly on the job prospects of low-skilled workers... The health care industry operates 24 hours a day, 7 days a week, and the hospitals of the Longwood Medical Area would be particularly impacted by the proposed service cuts to the Green Line E Branch and the Commuter Rail. These cuts would impact the ability not only of doctors, nurses and support staff to get to their jobs, but also of patients to make their appointments... These businesses have also deployed flexible scheduling and staggered shifts to best utilize their real estate and cope with our already-congested transportation network."

The service cuts would force more autos onto already congested roads, resulting in:

"... 55,000 and 92,000 more cars on the road daily... if there were no public transportation in the Boston area, the additional traffic congestion would cost the regional economy $663 million annually. Based on this estimate, if one-tenth of the T’s current ridership elect to abandon the T and drive their commutes... the additional congestion could cost Massachusetts $66 million a year."

Parking around the city, already a problem, would become worse as more people drive and many parking lots are replaced by office buildings:

"ABC members located in the South Boston Waterfront were particularly concerned that changes at the T would increase demand for parking at a time when large lots currently used by commuters to the Waterfront and to the Financial District are slated to be developed over the next decade. South Boston, East Boston and Downtown are all subject to Parking Freezes. The City of Cambridge also enforces a Parking and Transportation Demand Management ordinance. These policies, implemented to curb air pollution, have made both cities heavily reliant on transit to support future economic growth..."

The higher education industry would be similarly affected:

"... increased demand for parking is at odds with their plans to expand. UMass Boston is a commuter school with a 45% transit share. It’s attempting to increase that number to 60% so that it can utilize its surface parking lots for staging construction of new campus buildings. Boston University, which purchases $2.1 million in T passes for faculty, staff and students, and spends $1.6 million operating its shuttle service, is also planning to reduce its parking spaces in order to make room for new construction. T fare hikes and service cuts will make it harder for both these institutions to grow..."

The entertainment and tourism industries would be similarly affected:

"The proposed cuts to evening and weekend Commuter Rail service would have a significant impact on fans’ and patrons’ ability to get into and out of the city for games, concerts and other cultural events."

ABC suggests that the MBTA:

• Limit its fare increase to 25% and pursue smaller, more frequent increases,
• Maintain commuter rail, trolley, and ferry services,
• Cut only the "10 worst" bus lines,
• Better match resources (e.g., buses and trains) to demand

ounded in 1989 as the Artery Business Committee, A Better City is a nonprofit association representing Greater Boston’s business and institutional community on transportation, land development and environmental sustainability. Download the ABC position paper (Adobe PDF, 1.9M Bytes), which is also available here (Adobe PDF, 1.9M Bytes).

Bank Of America To Test New Fees

After consumer backlash last fall forced it to abandon plans to add fees for consumer debit card accouns, the Bank of America is now testing new fees for checking accounts in three states: Arizona, Georgia, and Massachusetts. Reportedly, the new monthly fees apply only to new accounts and range from $9 to $25 depending upon the consumer's account balance.

Meanwhile, the Massachusetts Secretary of State Galvin seeks legislation for national banks operating within the state to offer free checking accounts for young adults under 19 years of age and elders ages 65 and older. Galvin wants to prohibit these banks from holding state and local government deposits unless they offer free checking for these two groups. State-chartered banks in Massachusetts are already required by law to offer free checking to these two groups.

To learn more, visit the banking authority for your state.

Boston Transit Authority Seeks Public Feedback About Proposed Fare And Service Changes (Part Two)

A prior blog post described a local community meeting held by officials from the MBTA, Boston's transit authority, to collect feedback from the public about which of two fare and service proposals to proceed with. At that meeting, I shared my views about the situation. Earlier this week, a local community meeting drew a large protest:

I have used the “T” subways for many years to commute from home to work in Boston. While living in the Waltham suburb, I used MBTA commuter rail, express buses, and local buses to commute to work. Other mass transit systems I have used:

• While growing up and working in New York City: its MTA buses and subways,
• During college, the bus system in Rochester (NY),
• During graduate study, the elevated trains in Chicago (IL)
• While vacationing in Germany, both the high-speed intra-city rail system and the subway in Cologne,
• While temporarily working in London, its underground and bus systems, and
• While vacationing in Los Angeles, its subway system.

So, I have had plenty of experience using a variety of mass transit systems. I like using mass transit and prefer it over autos.

I read the Information Booklet (Adobe PDF) the MBTA distributed with its two proposed scenarios. I have several concerns.

First, the brochure did not mention nor address the impact upon local small businesses, jobs, and employment. Most Boston residents use the "T" system to get to work or to school. Many use it to shop a businesses within the city. The local community meeting in Dorchester highlighted the fact that many residents (e.g., students, elders and retirees) don't have cars or an alternate means of transportation. They rely on the MBTA.

The large number of service terminations (e.g., bus routes, ferries, "E" line on weekends) spell a disaster for small and local businesses in those areas, who both hire residents as employees and depend upon those residents as customers.

Commuter rail service terminations after 10 pm will likely affect businesses that operate after 10:00 pm. Not just large businesses like the TD North Garden, but numerous small businesses. At the local community meeting I attended, numerous residents shared their feedback about how bus route terminations (e.g., 101 routes in scenario #2) will affect them. Students (e.g., youth) and residents on fixed incomes -- with no alternate transportation -- will be severly affected. Secondary and higher education are huge industries in the Boston metro area. The MBTA proposals don't and should mention how these industries would be affected by the fare increases and service terminations. When service terminations force students to walk to school, there are additional safety issues.

Consumers frequent businesses they can easily and reliably get to. All of the proposed terminations make it more difficult and unreliable for MBTA users -- employees and customers -- to use the MBTA.

It seems that either the MBTA has not considered the impacts upon local businesses and jobs, or does not wish to discuss them. This is odd because the MBTA developed an impact analysis (Adobe PDF) that projected declining air quality from greater auto usage due to service terminations. This is odd because the Big Dig project considered the needs of local businesses along its construction paths:

"But the state had a new task, one that would become a feature of big infrastructure projects nationwide: “mitigation.” Broadly speaking, mitigation was the state’s promise to alleviate the Big Dig’s impact on Boston, from interrupting business to harming the environment. Mitigation eventually accounted for about one-third of the Big Dig’s cost..."

The MBTA needs to do something similar, since it is integral to the health and efficient functioning of the city.

Will students continue to apply to secondary and higher education schools in the area, or will the fare increases and service terminations negatively affect applications? It would be huge disservice if the solution to the MBTA's fiscal mess happened at the expense of the community. There has to be balance.

Second, the MBTA documents did not present utilization rates of the bus routes scheduled for termination. These facts are critical toward evaluating the service cuts. Residents cannot provide informed feedback about the MBTA's proposals without inputs about utilization, the impacts upon employment, and upon jobs.

So, the MBTA has asked the public to "choose the better option," but has not provided all relevant data for the public to make informed choices. That is unfair.

Third, the $4.5 billion debt level and fare comparisons with other cities (Adobe PDF) suggests that a fare is warranted. However, this doesn't give the MBTA a free pass on transparency. I expect the MBTA to do a better job of being transparent about efforts to wring waste out of your system. The documents provided are insufficient.

I talked with MBTA employees (who requested anonymity), and they told me clearly that:

• The MBTA rents a lot of properties it never uses or under utilizes. These properties should be sold or used to increase revenues.
• Better utilization could include options such as power generation (e.g., wind turbines installed on building rooftops) to generate revenue or lower energy costs.
• There are internal human resource programs that cost a lot and drive questionable results.
• Many highways have "aopted a highway mile" programs. The MBTA has not seemed to consider innovative solutions such as this (e.g., 'adopt a station") or similar programs.

Frankly, I don't believe that the MBTA has wrung all of the waste out of its system. Rather, the MBTA seems to take the easy route: raise revenues by raising fares on customers, many of whom are poor and can least afford the proposed fare increases.

Fourth, your proposed fare increases and service terminations seem woefully short-sighted. What about a year from now? How does this solution avoid the situation where we have to revisit your fiscal concerns in a year or two. What about a long-term focus on being environmentally conscious? The proposed solutions don't address this.

The solution for the MBTA's fiscal mess needs to better balance long-term and short-term needs, fit with the city's need to remain competitive and efficient, and fit with the public's desire to use its mass transit system in environmentally friendly ways. My bottom line: the fiscal “cure” should not be worse than the debt “disease.” The surgery should not kill the patient.

Boston Transit Authority Seeks Public Feedback About Proposed Fare And Service Changes

I live and work in Boston. Like many cities in America, Boston's mass transit system faces financial obstacles. In January, the Massachusetts Bay Transit Authority (MBTA) proposed several changes to close its projected operating deficits.

The proposed changes included two scenarios. One scenario includes larger average fare increases with fewer service cuts. the second scenario includes smaller average fare increases with many more service cuts:

	Scenario 1	Scenario 2
Fare Increase	43%	35%
LinkPass	$80	$78
Bus Services Eliminated	23 weekday routes	101 weekday routes
Services eliminated	late night & weekend commuter rail; weekend "E" line; Mattapan line; Ferry
Parking rates increase	28%	20%
Ridership impacts	34-49 million annual trips = 9 - 13%	53-64 million annual trips = 14 - 17%

The current Linkpass fare is about $59. The information brochure (Adobe PDF) about the proposed fare and service changes is available at the MBTA website. The MBTA estimates a $161 million budget deficit in fiscal year 2013. It has a $5.2 billion debt load, which equates $450 million in debt payments each year. Those debt payments equal fare revenues.

In some instances, fares would increase more than 100%. The MBTA compared its fares to transit systems in other American cities (Adobe PDF). The MBTA also prepared an impact analysis document, which concluded that the service cuts will result in poorer air quality.

To collect feedback from the public about which scenario is best, the MBTA is conducting a series of meetings around Boston and in the suburb communities it serves. I attended a Thursday, February 2 session at the Dorchester House Multi-Service Center in Boston's Dorchester community. About 250 residents attended. It was good to see a strong turnout at a midday 1:00 pm session. No apathy here!

Caption: residents speak at the February 2 MBTA meeting at the Dorchester House

An MBTA official briefly presented its public presentation about the proposed changes (Adobe PDF). Most of the two-hour meeting was reserved for residents to speak. A variety of residents spoke: working adults, teenagers, college students, elders, they physically challenged, and retirees. During the session, I saw about 50 residents speak.

A common theme voiced by residents was that the fare increases under both scenarios were steep; many couldn't afford them. Many residents don't have a car, or alternate travel means, and rely on MBTA travel services. Students and retirees have limited incomes, if any, and both the fare increases and service cuts (e.g., buses) would greatly affect them.

MBTA officials handed out a printed statement from Boston Mayor Thomas Menino, which read in part:

"The MBTA provides absolutely critical services to Boston residents, commuters, and visitors. As a transportation hub and economic engine of the region, Boston is uniquely affected by the state of our public transit system... Many administrations have simply passed the buck onto the next administration -- and now the MBTA must find a way to operate with an enormous structural deficit. However, riders should not be forced to shoulder the entire weight of the debt..."

I did not see any reporters from the news media. Several activist groups attended the meeting, spoke, and handed out flyers. The groups included the Coalition to Fund Our Communities, Transportation For Massachusetts, Socialist Equality Party, and Global Exchange. So, there are plenty of ways for residents to get involved and have your voices heard. Contact your elected Massachusetts state representatives today!

The MBTA has scheduled upcoming community meetings for:

• Monday, February 6: Lowell
• Tuesday, February 7: Lynn
• Wednesday, February 8:, Boston (West End) and Hingham
• Monday, February 13: Boston
• Tuesday, February 14: Framingham
• Wednesday, February 15: Quincy
• Thursday, February 16: Malden
• Tuesday, February 28: Somerville
• Wednesday, February 29: Cambridge
• Thursday, March 1: Waltham
• Tuesday, March 6: Brockton

Visit the MBTA website for exact meeting locations.

Massachusetts Attorney General Sues Five Banks For Alleged Foreclosure and Loan Servicing Abuses

Earlier this month, the Massachusetts Attorney General's office filed a complaint against five national banks for alleged abuses involving fraudulent documentation in home foreclosures (commonly referred to as “robo-signing”), foreclosing without holding the actual mortgage, and failing to uphold loan modification promises to Massachusetts homeowners. The banks named in the lawsuit:

• Bank Of America, N.A. (and its BAC Home Loans Servicing LP subsidiary, formerly Countrywide),
• JP Morgan Chase Bank, N.A.,
• CitiBank, N.A. (and its CitiMortgage subsidiary),
• GMAC Mortgage, LLC, and
• Wells Fargo Bank, N.A.

Also named in the complaint (Adobe PDF, 4.1 MBytes) was MERSCORP, Inc. which owns and operates the MERS System, a national registry that tracks ownership and servicing rights in residential mortgages loans. The Massachusetts AG alleged:

"... the banks used false documentation in the foreclosure process, including so-called “robo-signing”, whereby bank personnel signed affidavits that were untrue, or not based on the signor’s actual knowledge. An entity wishing to foreclose on a property must demonstrate it has filed an affidavit in compliance with Massachusetts law... Filings with various Registers of Deeds provided to the Attorney General’s Office revealed the pervasive use of mortgage service employees to sign hundreds of affidavits and sworn statements without personal knowledge of the information contained in those affidavits. Evidence also suggests these practices were not confined to the foreclosure process, but also used in the assignment, transfer and modification of mortgages..."

About alleged foreclosure abuses:

"... these five entities participated in unlawful foreclosures when they commenced foreclosures on mortgages where they were not the holders of those mortgages. The Supreme Judicial Court (SJC), in Commonwealth v Ibanez, recently upheld Massachusetts law and stated that “only the present holder of a mortgage is authorized to foreclose on the mortgaged property.” The complaint alleges that these entities ignored this fundamental legal mandate and proceeded to foreclosure even though they did not hold the mortgage... The banks’ failure to obtain a valid assignment of the mortgage prior to foreclosure has adversely impacted titles to hundreds, if not thousands, of properties..."

And, about alleged failures regarding home loan modifications:

"... the banks deceived and misrepresented to borrowers the process, requirements, and availability of loan modifications. The banks publicly claimed to be engaged in widespread loan modifications aimed at preserving home ownership and avoiding unnecessary foreclosures. Through the National Homeownership Retention Program, which commenced on November 6, 2008, these banks represented that they would work with borrowers to help them avoid unnecessary foreclosures by reducing monthly mortgage payments to affordable and sustainable levels. The complaint alleges these banks misled borrowers about their eligibility for this program and the amount of relief available, failed to achieve a significant level of modifications, and often strung along borrowers for months in trial modifications that were ultimately rejected."

How To File A Complaint About A Bank

Recently, a friend posted this status message on Facebook:

"How does Bank of America stay in business? They continue to threaten and harass even after I have been assured that all issues have been resolved! Issues, by the way, created by their own incompetence! Who do I lodge a complaint with?"

Consumers have several resources to help them with filing a complaint about a bank. Since my friend lives in Massachusetts, first I directed her to the Massachusetts Division of Banks, which regulates banks that operate within the state. This can include help with or submitting a complaint about abuses involving mortgage foreclosures or checking/savings accounts.

If your "banking" problem includes stock or securities fraud, then consumers should consider filing a complaint with the Massachusetts Secretary of State. The responsibility of this administrative agency varies across states, and is based upon the constitution and laws of your state. In Massachusetts, the Secretary of State's office manages several important functions including investment securities, deeds, registration of corporations, elections, and public records.

If you live in a different state, then you can search online for the consumer protection bureau or consumer complaint board within your state that regulates banks. Most states have one.

A second resource is the Federal Deposit Insurance Company (FDIC), which insures banks and financial institutions operating within the USA. The link to the consumer complaint form is conveniently on the FDIC home page.

Sometimes, the problem includes both a bank and a retail company. Then, it is appropriate to submit a complaint the U.S. Federal Trade Commission (FTC), which regulates the activities of retail companies operating within the USA. It is appropriate for consumers to file complaints about deceptive marketing tactics, scams, identity theft, and other topics. The FTC operates a very comprehensive complaint process and database.

If your phone number is registered in the Do Not Call Registry and you belive a company has violated that telemarketing law, then you should file a complaint at the Do Not Call Registry website.

Related articles in this blog which you may also find helpful:

• How To Check Your Insurance Company's Complaint Record
• Received Poor Customer Service? How To Complain Effectively

Unannounced Changes To The MBTA Charlie Card System

I love using mass transit. It's the environment-friendly choice.

I use the subway frequently. Most of the time, the MBTA here in Boston works pretty well. The re-loadable payment cards are really convenient. However, a recent change by the MBTA left me inconvenienced and puzzled.

If you use a Charlie Card, then pay attention. It seems that the MBTA modified their payment card systems... and didn't tell their customers. You may find that your Charlie Card abruptly stops working. Several friends have reported this. If your card stops working, don't throw it out. Here's why.

Look at the identification number on the bottom front of your Charlie Card. If it is printed in red font, then your card is one of the defective ones. The cards with black font work. I suspect that the font type is just a symptom of an underlying problem with the card's internal magnetic encoding.

The MBTA management is strangely silent on the subject.

The cynic in me wonders if the MBTA is hoping to enjoy a windfall of cash when customers discard in the trash their non-working Charlie Cards. Don't throw out your defective Charlie Card. Visit one of the MBTA customer service offices and demand a working replacement. You'll get one with the same amount of stored value which was on your old card.

I spent a half hour this afternoon doing just that at the MBTA Customer Service desk at the Downtown Crossing Red Line station. The customer service rep was very polite. She was able to easily and quickly read the stored value on my defective card, and provide a replacement. By her attitude, it seems that she has encountered this situation before.

So, a word to the wise. You have been warned. Maybe next time, MBTA management will be proactive and alert its customers. If you have experienced a problem with your Charlie Card, share your story below.

Congressional Representatives Ask FTC To Investigate Companies Online Tracking Practice With "Supercookies"

On September 27, Congressional representatives Joe Barton (R-Texas) and Edward J. Markey (D-Mass.), Co-Chairmen of the House Bi-Partisan Privacy Caucus, sent a letter to the U.S. Federal Trade Commission (FTC) asking the agency to investigate “supercookies,” files that can be installed on consumers' computers without their knowledge or consent. Websites use supercookies to collect detailed personal information about consumers and to track consumers' online usage across the Internet.

Supercookies represent the latest effort in the Internet technology race for companies to track consumers' online behaviors versus consumers' need for privacy. First there were browser cookies, which were fairly simple text files websites used to recognize whether or user had visited that website before -- without requiring the user to identify their self.

As consumer awareness increased about the tracking and privacy issues with web browser cookies, some companies began to use the Flash cookies, with the Flash technology, to track and store consumer information data, since most consumers have the Flash plugin installed with their web browsers. As consumers supported "do not track" legislation and began using "do not track" options with their web browsers to delete standard browser cookies, some companies began using "zombie cookies"-- a tracking method to both save tracking information within other folders on consumers' computers and to continually regenerate standard web browser cookies deleted by consumers.

Most recently, some companies began using "zombie e-tags." The term "supercookies" seems to be a catch-all term for both covert tracking approaches: "zombie cookies" and "zombie e-tags." According to PrivateWiFi:

"... supercookie files can store more information than a normal cookie and can sometimes be stored in different places than regular cookies, such as a file used by a plugin (such as Flash), which makes them harder to identify and remove. In addition, some supercookies have the capability of regenerating regular cookies to prevent their removal. Supercookies track things differently from ordinary cookies. A normal cookie can be written, read and ultimately removed by the website that created it. However, the supercookie operates much more stealthily by tracking and recording user behavior across multiple sites. It’s ethically questionable that a website should be able to record a user’s actions beyond its borders. Websites that have been found to use supercookies include MSN.com, Hulu.com, and Flixster.com."

The ethics is definitely an issue. Is it ethical for a website, like Hulu.com or Facebook.com, to track consumers' usage beyond their websites and across the entire Internet? Perhaps, it is okay if the website policies are transparent, provide legible notice, and gain consumers' opt-in consent first. So, the letter by Barton and Markey is very timely and appropriate. Their September 26 letter read in part:

"As C-Chairs of the Congressional Bi-Partisan Privacy Caucus, we believe this new business practice raises serious privacy concerns and is unacceptable. We are also very concerned about the extent of this practice by websites as well as the impact supercookies have on consumers. Furthermore, we believe the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for the misuse of personal information, and provides another way for consumers to be tracked online. In an effort to protect consumers, we are interested in any actions the Federal Trade Commission (FTC) has taken or plans to take to investigate the usage and impact of supercookies on the Internet and consumers. We believe that an investigation of the usage of supercookies would fall within the FTC’s mandate as stipulated in Section 5 of the Federal Trade Commission Act with respect to protecting Americans from ‘unfair and deceptive acts or practices.’”

Read the full text of the letter by Barton and Markey (PDF).

What I'd really like to see is legislation that requires companies to fully disclose their tracking methods and the precise data collected, much like labels on food attempt to descibe what is in the packaging. Why? It's all about consumer trust.

Similar to food, ingredients will change. For the Internet, tracking technologies will change. And change quickly, too. Yesterday's browser cookies morphed into "zombie cookies" and "super cookies," which has morphed again into "zombie e-tags." So, the companies' website terms-of-use and privacy policy should explain in simple English:

1. The tracking technologies (e.g., hardware and software) currently used,
2. The names of all affiliate companies and business partners they do business with for #1,
3. The services, products, software, and consumer dinformation exchanged in #2,
4. The length of time the data collected in #3 is archived,
5. The anonymization process used, and verified by an independent third-party, and
6. A large, easy-to-find and easy-to-understand opt-in button, because the program only includes consumers who choose to opt-in or register.

Belmont Savings Bank Settles With Massachusetts Attorney General Office For Data Breach

The Massachusetts Attorney General Office announced that it had reached a settlement agreement with Belmont Savings Bank after the bank had failed to protect consumers information during a May 2011 data breach. The terms of the settlement includes a $7,500 fine and:

"... Belmont Savings Bank must ensure the proper transfer and inventory of backup computer tapes containing personal information; store backup computer tapes containing personal information in a secure location; and effectively train the members of its workforce on the policies and procedures with respect to maintaining the security of personal information."

The bank lost an unencrypted backup computer tape containing the names, Social Security numbers, and account numbers of more than 13,000 Massachusetts residents after a bank employee failed to follow the bank’s data security policies and procedures. The employee left the computer tape on a desk instead of storing it in a vault overnight.

According to Attorney General Coakley:

“Consumers expect businesses to not only develop policies and procedures to safeguard their sensitive personal information, but to follow these procedures as well... Our office will continue to take action against companies that fail to follow protocol to protect the information entrusted to them by consumers.”

Good. We'll be watching.

Analysis: Several States' Online Consumer Forms For Filing Phone Scams Complaints

[Editor's note: this is part three of a three-part series about telemarketing or phone scams.]

Yesterday, I described my experience with filing online complaints with the U.S. Federal Trade Commission and with the Attorney General office in the state where I live. Today, I want to share my findings about how well several states' Attorney General websites allow consumers to file online complaints about phone scams.

Remember, the the FTC Phone Fraud website instructs consumers to file complaints at both the FTC Complaint Assist website and at their state Attorney General website. After having difficult at the Massachusetts AG website, I reviewed several states' AG websites. I wanted to know if other states presented online complaint forms that made it easy (or difficult) to file complaints about phone scams.

I reviewed and compared the online complaints form for six (6) states. I chose four states (California, Florida, New York, and Texas) with large populations since that would include the probable online experience for a large percentage of the US population. I also included my home state (Massachusetts), and one state (Alabama) that does not have any laws requiring the notification of consumers affected by data breaches:

#	State AG Website	Online Complaint Form
1	Massachusetts	https://www.eform.ago.state.ma.us/ago_eforms/forms/piac_ecomplaint.action
2	California	http://ag.ca.gov/contact/complaint_form.php?cmplt=CL
3	Florida	http://myfloridalegal.com/Contact.nsf/Contact?OpenForm&Section=Economic_Crimes
4	Alabama	http://www.ago.state.al.us/consumer_form.cfm
5	New York	http://www.ag.ny.gov/bureaus/consumer_frauds/filing_a_consumer_complaint.html
6	Texas	https://www.oag.state.tx.us/forms/cpd/form.php

Remember, the FTC website linked to the National Association of Attorneys General (NAAG) website, which lists all Attorney General websites in the 50 states, plus the District of Columbia, Guam, and Puerto Rico. So, many consumers will arrive at their state's AG website with the goal to complete this specific task: file a complaint online about a phone scam. Given this specific task, I used three criteria to evaluate the AG websites:

1. Did the AG website main page present a link or button for consumers to file a complaint online, that was prominent and easy to find?
2. Did the AG website allow consumers to actually file a complaint online?
3. Did the state's online form allow for the submission of phone scams?

There are many other criteria one could use to evaluate AG websites. I chose these three criteria because they directly relate to the specific task. I looked for variations of the "File a Complaint" phrase and not necessarily the same words. My findings:

1. Many AG websites made it difficult for consumers to file complaints. 50% (3 of 6) of the websites reviewed contain a link or button on the home page that was prominent and easy-to-find. Prominent and easy means that the link/button is immediately displayed when the page loads. So, half of the websites (e.g., Florida, New York, and Texas) evaluated didn't provide a link/button.

AG websites typically present information about news releases and the services available to consumers and businesses -- all very valuable information. The lack of a "File a Complaint" link or button on the home page makes the website needlessly more difficult to use. This forces consumers to hunt for the complaint form page.

Several example highlight this forced hunt. First, the online complaint form is buried in the Florida AG website under the Consumer Protection website section. That fom location may be a logical place for frequent website visitors, attorneys, and AG office staff, but not necessarily for first-time visitors or consumers. Second, the Texas AG website has a "Report Fraud, Waste, and Abuse" link on its main page, but that link is narrowly focused on complaints about state government agencies. Consumers looking to file a complaint about a non-government organization still have to hunt for the online complaint form.

Third, the New York AG website locates its complaint forms under the Consumer Frauds Bureau and Identity Theft sections. Again, frequent visitors, attorneys, and AG office staff may know to look there, but first-time visitors won't.

When hunting for a form, there are several time-consuming strategies that consumers may use: site-search mechanism, click on various navigation links, and/or read the page content.

2. Most AG websites present interactive online complaint forms. 83% (5 of 6) of the websites reviewed present online complaint forms. The only website that didn't -- New York -- presented static forms in Adobe PDF format, which consumers must download, complete offline, and submit via surface mail.

3. Not all AG websites allow consumers to submit complaints about telemarketing/phone fraud. 60% (3 of 5) of the websites with interactive, online complaint forms allow consumers to file complaints about phone scams. (Remember, the New York AG website had PDF forms instead of interactive forms.) That is, the complaint forms are flexible enough to allow consumers to enter the data elements they may have.

In my online experience, the form in the Massachusetts AG website requires consumers to submit all of the following data elements about the phone-scammer: company name, address, city, state, ZIP Code, and phone number. With phone scams, consumers won't necessarily have all of these data elements. I didn't. The complaint form at the Texas AG website also contained the same usability problems as  the Massachusetts AG website form.

While it is a fairly simple task to add a "File a Complaint" link on the home page and to edit an online complaint forms to make more company data elements optional rather than required, there probably are backend database considerations. The online databases must contains sufficient categorization and tagging to identify phone fraud complaints as such, and not as partially completed complaints.

If you have submitted complaints at your state's AG website, what was your experience?

Filing an Online Complaint About a Credit Card Phone Scam

[Editor's Note: this is part two in a three-part series about telemarketing or phone scams.]

Yesterday, I described my experience with an attempted credit card phone scam. Today, I want to describe in greater detail my experiences with filing complaints online. It is important to notify the appropriate law government agencies about scams so law enforcement can take action and shut them down.

As I described yesterday, I visited the FTC Phone Fraud website to learn how to telemarketing or phone scams. The main page contained a "Report Phone Fraud" link, which links to the Reporting Phone Fraud page. This page explains how to file a complaint online with both the U.S. Federal Trade Commission and the Attorney General Office in your state:

"Your complaint counts! Fight telephone fraud. Report telephone scam artists to the FTC and to your state Attorney General. When you report phone fraud to the FTC, your complaint is entered into a secure database that is available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad."

At the FTC Complaint Assist website, I filed my complaint online. That was simple enough, and later during the day I received a confirmation e-mail message that my complaint had been successfully submitted.

Since I live in Massachusetts, I wanted to file a complaint with the Attorney General's (AG) Office for my state. The FTC Phone Fraud website makes this easy, since it contains a link to the National Association of Attorneys General (NAAG) website, which lists all Attorney General websites in the 50 states, plus the District of Columbia, Guam, and Puerto Rico.

So, I clicked through to the Massachusetts Attorney General website. The Massachusetts AG website main page has an easy-to-find "File A Complaint" link on the main page in the center column:

I clicked on the "File a Complaint" link which directed me to an instructions page. After reading the instructions, I accessed the Consumer Complaint Form page. So far, so good.

I completed the form page with the information I had, which unfortunately wasn't much. Remember, I only had the company name, Card Services, because the scam artist hung up when I asked for more information about his company': its phone number. After submitting the Consumer Complaint Form, I received this error page:

The website requires all of the following about the scammer: company address, city, state, phone, and ZIP Code. This was disappointing since I only had the company name, and the form requires data elements I don't have. If I had fallen victim to this phone scam and lost money, then I might have had more information about the scammer's company. That is no guarantee, though.

I reviewed the Consumer Complaint Form page, and noticed that it did not indicate which fields were required versus optional. That is a basic website development flaw. As a user experience professional who has built and redesigned dozens of websites since 1997, I can state this with authority. Well-designed online forms should indicate to users what information is required versus optional. It saves everyone time and avoids frustration.

At this point, I was stuck. I couldn't file online the complaint about the phone scam. Remember, I arrived at my state AG website based on instructions from the FTC website. This was frustrating.

If a state wants consumers to file complaints so it can collect accurate information about the types and volume of scams operating in their state, then the form should allow consumers to enter the data elements they have about the scammer's company. Otherwise, scams go unreported and the state AG has inaccurate information about the types and volume of scams operating in their state.

I realize that in these tough economic times, state's budgets are tight. The reporting of scams goes to law enforcement, and law enforcement seems to me to be a high-priority item.

After this experience, I began to wonder what the online experience is for consumers in other states. Tomorrow: a brief look at the online consumer complaint forms at several states' Attorney General websites.

Have you filed an online complaint with your state Attorney General? What was your experience?

The State of Florida Made $63 Million in 2010 Selling Drivers' Personal Data. What About Your State?

Business Insider reported that the state of Florida sells the personal information of drivers:

"... to private investigators and research services for years with last year's sale bringing in almost $63 million. Reported by News Channel 5 in Tampa, the state sells nearly all the information on every license including birth dates and drivers license numbers."

The news report listed the price at $ .01 price per drivers record. That sounds awfully low -- too low -- given the data elements purchased and the reliable data source (e.g., the State of Florida). Do you think your personal information is worth more than a penny? I do and guess that you do, too.

The companies that purchase Florida drivers' information include some familiar names: Acxiom Information Securities Service, Inc., Choice Point, E-Funds, Explore Information Services, LexisNexis, Line Barge, Goggan, Blair, & Simpson, Inc., SC Services, ShadowSoft, TLO LLC, and West Services Inc..

The Driver Privacy Protection Act (DPPA) is Federal law enacted in 1994, long before corporate data breaches, digitized profiles, and privacy became the problems we have today. The DPPA regulates what personal information must be protected, and can (cannot) be sold by states. According to the Electronic Privacy Information Center (EPIC):

"The DPPA was passed in reaction to the a series of abuses of drivers' personal information held by government. The 1989 death of actress Rebecca Schaeffer was a prominent example of such abuse. In that case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer's address through her California motor vehicle record. The fan used her address information to stalk and to kill her. Other incidents cited by Congress included a ring of Iowa home robbers who targeted victims by writing down the license plates of expensive cars..."

Some states have laws providing greater protections for drivers' personal information. There have been at least two class-action lawsuits for alleged DPPA violations.

Does your state sell drivers' personal information? Probably. It can be difficult to determine. Often, there is a disclosure in your state government motor vehicle registry website about the DPPA and what your state does (and does not) sell. For example, the Massachusetts RMV website:

"The DPPA restricts the disclosure of personal information, as defined in 18 U.S.C §2725. Personal information is information that identifies an individual, including name, address, driver's license number, social security number*, photograph* and medical information... The DPPA only restricts personal information. Information on vehicular accidents, driving violations and driver's status is not personal information. Also, information that does not pertain to an individual would not be considered personal information."

Like other states, only "Permitted Users" can buy this drivers personal information, and the state supposedly verifies both the purchasers' identities and whether the purchasers' usage post-sale complies with the law. So, drivers personal information is being sold. I wasn't able to find a disclosure about the annual total amount of revenues from DPPA sales.

Another example from the New York State DMV:

"You must have a DPPA permissible use to request DMV records that contain personal information. Personal information includes name, address, or Client ID Number (Driver License Number). You must certify that you have a permissible use when you request records that contain personal information... The DMV records that are frequently requested are driver abstracts, registration abstracts, title abstracts, and accident reports... The DMV normally does not provide a history of the ownership or the mileage of a vehicle... To request a vehicle ownership history, you must certify that you have a DPPA permissible use for the information... The National Driver Register (NDR) is a database maintained by the Federal government. The NDR lists: the drivers from each US state who have a driver license that is suspended or revoked, and the drivers who were convicted of a serious traffic violation like DWI or a drug-related violation. Motor vehicle bureaus in the US provide the NDR with the names of persons who lose the privilege to drive or who were convicted of serious traffic violations... You can use form NDR-1 to search the NDR. Information from the NDR must comply with the DPPA."

Another example from Texas:

"... the Driver’s Privacy Protection Act (DPPA), makes it illegal for the general public, including the media, to obtain, publish or confirm personal information about you from the state motor vehicle database. The law does provide exceptions for certain entities, such as courts and police. Texas law provides additional protection under the Motor Vehicle Records Disclosure Act, and the Public Information Act (Section 552.130)."

Personally, I don't believe that Florida (and other states) should sell drivers personal information to information brokers, regardless of the uses claimed by the data brokers. It effectively, makes the data publicly available to everyone, "permitted uses" or not.

The states' DPPA disclosures which I have read are often long, difficult to read, and at times confusing. The information could be presented far better with pages containing separate summaries, instructions, and forms for each target audience (e.g., individuals/residents, companies, state/local agencies, law enforcement/courts, etc.). When there are additional state laws providing broader protections, you almost have to be an attorney in order to reconcile the multiple laws to understand exactly what is protected and sold.

Kudos to News Channel 5 in Tampa for the good investigative journalism.

What is your opinion? Should states sell drivers personal information? Is the price Florida charged too low?

Data Breach at Massachusetts Unemployment Offices

On Tuesday of this week, the Massachusetts Executive Office of Labor and Workforce Development (EOLWD) issued a press release announing a dat breach at the Departments of Unemployment Assistance (DUA) and Career Services (DCS) network. Several employee desktop computers at the One Stop Career Centers were infected on April 20, 2011 with a computer virus that collected and transmitted the confidential information of DUA customers and employees. EOLWD learned of the computer virus on May 16, 2011.

The computer virus collected the following information: names, Social Security Numbers, Employer Identification Numbers, e-mail addresses, residential street addresses, and business street addresses. Bank account information may also have been stolen. The virus may have infected as manay as 1,500 DUA computers. With the assistance of Symantec, the EOLWD's computer security consultant, the virus was removed from all affected desktop computers.

While the exact number of breach victims was not disclosed, the press release advised that any consumers who conducted business at a DUA office between April 19 through May 13, plus about 1,200 businesses, should take the following precautions:

• For answers to common questions, call 1-877-232-6200 or visit the EOLWD data breach website
• Review your credit reports (e.g., Experian, Equifax, and TransUnion) for fraudulent entries
• Place a Fraud Alert or Security Freeze on your credit reports

The EOLWD plans to notify breach victims directly. Depending upon the number of breach victims, Massachusetts law allows organizations to notify consumers via ads in newspapers or directly via breach letters.

The press release did not state when that notification will be sent, nor if the notification will offer breach victims with a period of free credit monitoring and identity-theft resolution services. The press release did not state whether the state will reimburse breach victims for the costs to place a Security Freeze on their credit reports.

In my opinion, the EOLWD letter to breach victims should address all of these concerns. Since this theft includes enough sensitive personal information for identity criminals to obtain loans or credit in the breach victims' names, I recommend that breach victims follow all of the above precautions. Learn about the differences between a Fraud Alert and a Security Freeze options. If you find fraudulent entries in your credit reports, then stronger protection of a Security Freeze option is needed, since it prevents credit from being issued unless you authorize it.

After a data breach in 2007 by a prior employer, I had to learn about these options. I first tried a Fraud Alert, but later placed a Security Freeze on my credit reports at Experian, Equifax, and TransUnion. For me, it was important to have the strongest protections available since I did not need more credit.

If you received a breach notification letter from EOLWD, what did the letter offer? Did you find the notification letter helpful?

Briar Group Restaurants Settles 2009 Data Breach For $110K

In a press release yesterday, the Massachusetts Attorney General's office anounced a settlement with the Briar Group LLC restaurants for a 2009 data breach where the company failed to take reasonable steps to protect customers debit and credit card information:

"According to the lawsuit, filed in Suffolk Superior Court, the Briar Group experienced a data breach in April 2009, when malcode that was installed on Briar’s computer systems allowed hackers access to customers’ credit and debit card information, including names and account numbers. The malcode was not removed from the Briar Group’s computers until December 2009. Further, the complaint alleges that the Briar Group failed to change default usernames and passwords on its point-of-sale computer system; allowed multiple employees to share commons usernames and passwords; failed to properly secure its remote access utilities and wireless network; and continued to accept credit and debit cards from consumers after Briar knew of the data breach."

The Briar Group LLC ownes and operates several popular restaurants including Ned Devine's, the Green Briar, and The Harp, and Solas. The judgment, signed on March 28, 2011, requires the company to pay $110k in civiil penalties to the Commonwealth, and to comply with both Massachusetts data security regulations and Payment Card Industry Data Security Standards (PCIDSS). All restaurants in the company must also develop a security password management system and implement data security measures to comply with PCIDSS standards, including a Written Information Security Program (PDF document). 

Consumers need to know that retailers adequately protect their banking information as required by law. Congratulations to the Massachusetts Attorney General's Office.

Banks Collect And Sell Data About Their Cardholders' Purchases

You may not know it, but your credit card issuer makes money by selling data about the purchases made by its cardholders: you and me. WBZ TV, the CBS affiliate in Boston, broadcast an interesting segment Tuesday evening about how banks and credit card issuers make money by selling what they know about their card holders:

"Every time you use your credit card, your bank or credit card company is watching and taking notes. It looks at where you shop, how often you shop, what you’ve purchased..."

I advise consumers to watch the telecast at the WBZ-TV website.

So, what does your credit card company know about you? Think about everything you charged during the past month. During the past 6 months. Groceries. Clothes. Vacation. Personal hygiene. Liquor. Auto repair bill. Junk/fast food. Movies. Bar food and drinks. Doctor copayments. Medicine. Political donations. Cash advances at a casino.

The collection includes the amounts of your purchases and where you made these purchases, too. The collection includes both purchases made online and at brick-and-mortar stores. The collection happens regardless of whether your are a member of a loyalty/rewards program.

Being an informed shopper means knowing all of this. Something to remember the next time you see one of those cute telelvsion ads promoting the convenience of using plastic.

Some consumers see targeted advertisements online when the view and pay their monthly credit card bill. Those targeted ads are based on the prior purchases you made with your debit/credit card,

There are some things I want my credit card company to know well about me. I do want my credit card company to know enough about me to spot fraudulent purchases that are outside my normal purchase area or dollar amounts. So, a certain amount of data collection is good.

If this data collection about card purchases bothers you, experts warn that you can opt-out of some, but not all of the data sharing. Read the privacy statement online at your credit card issuer's website, or the privacy statement enclosed with your last credit card statement. If you want your purchases to remain entirely private, use cash and don't use your debit/credit card.

Mass General Pays $1 Million Fine For Data Breach

Last week, the Department of Health and Human Services (HHS) announced that it had reached a settlement with the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General). Mass General agreed to pay the U.S. Government $1 million:

"... to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule..."

The "potential violation" is from a March 2009 data breach which included:

"... the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS... Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule."

The impermissible disclosure of PHI included the loss of:

• Documents containing patient schedules with names and medical record numbers for 192 patients,
• Billing forms containing the name, date of birth, medical record number, health insurer, policy number, diagnosis, and name of providers for 66 of the 192 patients

A Mass General employee left the records on a subway train while commuting to work. The records were never recovered. As part of the settlement, Mass General signed a Resolution Agreement with HHS that requires it to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients.

Would You Buy Pay-As-You-Drive Auto Insurance?

A few nights ago, the CBS affiliate here in Boston broadcast a news story about "pay-as-you-drive auto insurance." The idea is that if you pay auto insurance premiums based on the number of miles you drive. If you drive a lot, you pay more. If you drive less, you pay less. Good drives might pay 2 cents a mile; bad drivers 10 cents a mile.

Why am I writing about this? Be patient and read to the end. The reason will quickly become obvious.

The idea of pay-as-you-drive or pay-per-mile auto insurance appeals to me, mostly because I don't drive much. I am happy to walk and/or take mass transit. Boston has a pretty good mass transit system with buses and subway trains.

My wife and I own one car which we share. When we need a second car, I use Zipcar.com, which is effectively paying for the use of a car (and its auto insurance) only when I need it -- on an hourly basis. If I use a Zipcar more, I pay more. I pay for only for what I use.

It seems a little unfair for me to pay the same amount as a person who drives 1,500 miles each month, while I drive only about 350 miles monthly. So, my auto insurance premiums would decrease substantially with pay-as-you-drive pricing. Another benefit of mileage-based auto insurance:

"A new study commissioned by the Conservation Law Foundation found that basing premiums on mileage would encourage drivers to drive less, cut down on pollution from tailpipe emissions, even reduce accidents which could be attractive for insurers."

The idea of pay-per-mile auto insurance also appeals because this form of pricing is not new. Rental car rates are often mileage based. Airplane and bus travel are often mileage based. you pay more the further you travel.

The news story was rolling along nicely until the reporter mentioned how insurance companies might measure drivers' mileage:

"... drivers would probably have to agree to a tracking device in their car to monitor their mileage and  check their driving habits."

Whoa!! More tracking of consumers?

There is tracking and then there is tracking. Simple tracking might upload once a month the car's odometer mileage reading. That is simple enough, since most new cars have digital odometers. Or, the folks at On-Star might include this with their existing service. It's what I had in mind during this news broadcast.

More invasive tracking might use a GPS device to measure your mileage and speed; in theory to determine whether or not drivers comply with posted speed limits. That is problematic and unnecessary.

Why? First, insurance companies already obtain speeding ticket information from state motor vehicle registries. Second, inspection stations already record mileage during the auto inspection. Just add the upload feature to the RMV.

Third, slow drivers could get penalized needlessly if the tracking doesn't include traffic information. Fourth, extensive tracking collects more information a company could lose or have stolen during a data breach.

Fifth and perhaps most importantly, GPS tracking captures a lot more information than insurance companies need: your location, time of day, travel patterns, and how long you stay at certain places. That is far more extensive data collection than any insurance company deserves, or should have.

Are insurance companies prepared to invest more in data security to protect this information? So far, they don't seem prepared to do so. They would have to because where you are during the day, and your travel patterns over weeks or months, is very valuable information. Burgulars, for one, would love to have it. They'd know when you aren't home and when you are expected to return.

The news reporter, Beth Germano, didn't discuss any of the privacy issues related to tracking. Hopefully she will in a future news telecast, because a rental car company, using GPS tracking, issued a consumer a speeding ticket and included the speeding fine with his auto rental bill. Insurance companies should not perform law enforcement tasks. The insurance company was forced to stop billing speeders.

What's your opinion about pay-as-you-go auto insurance? Would you buy it? What track would you be comfortable with? If you missed the news telecast, here it is:

Former BigBad Employees Pursue Back Wages

Last week, my former employer was in the news again. The Boston Business Journal reported:

"When BigBad closed in March, more than a dozen staffers were still owed between $2,000 and $15,000 each in lost wages and expenses, according to sources. Now, about 14 ex-BigBad employees have retained attorney Christopher Vaughn-Martel to help recoup the money... We’ve made a demand on the company and all of its managing officers for a substantial sum..."

I encourage you to read the entire article (fee). Earlier this year, the Boston Business Journal reported the closing of the agency. While the agency has taken down its website, its Facebook and Twitter pages remain available.

The article discussed both one former Bigbad executive's bankruptcy filing, and some of the website projects abandoned by BigBad that other digital agencies have since completed.