Blogging For Civil Liberties Workshop at the ACLU of Massachusetts Conference

On Saturday January 26, 2008, I attended the first ACLU Massachusetts conference on Reclaiming Our Civil Liberties. The conference was a real treat for me, since I'd only read about Daniel Ellsberg, the keynote speaker. It was great to hear him live and hear his experiences about the Pentagon Papers. (See also the National Security Archive at GWU.) Ellsberg also discussed his views on the Bush administration, U.S. foreign policy, the Iraq war, the "Blue Dog Coalition" (for perspectives, see C-Span, Common Dreams , and the New York Times), and the oath of government officials to the Constitution (and not a personal oath to the President). Much of today's policies of expansive Executive privilege by the Bush administration are rooted in VP Cheney's tenure in President Nixon's administration.

I attended the conference both as a member and as a panelist. There were over 400 attendees, by my rough count. I spoke at a workshop titled, "Blogging for Civil Liberties." Christopher Ott, the Communications Manager of the ACLU of Massachusetts, chaired the panel. The other panelist was Charles Blandy, Co-Founder and Co-Editor of BlueMassGroup.com.

The workshop went smoothly. About 35 people attended this workshop. Charles spoke first and reviewed many of the well-known sites political blogs (such as Daily Kos and TPMmuckraker) consumers can use to learn about civil liberties and to participate in the blogosphere. My talk focused more narrowly on Ive Been Mugged as an example of citizen journalism, consumers' rights about identity protection, and notification laws after a corporate data breach. About 30 people attended this workshop and at least 400 attended the conference.

If you missed the conference, you can listen to the "Blogging For Civil Liberties" podcast (52 minutes, MP3 file, 23 MBytes). You can list to the podcast on any MP3 player, including the iPod. I'd like to thank Christopher Ott and the Massachusetts ACLU for making the podcast available. Thanks to Marilyn Humphries for the photograph.

[Note to readers: Sorry for the delay publishing this post. I would have published it sooner, but the podcast was only recently available.]

Screenshot Of The Day

From the Quantcast ratings web site:

In The Blogosphere: IT Project Failures and The Hartford's Data Breach

Whether or not you work in the Information Technology (IT) profession, IT Project Failures is a well-written blog. Michael Krigsman chronicles the missteps, mishaps, fumbles, and failures by IT departments in corporations and in government agencies. Michael is a good friend and I hope that more IT professionals read his blog and learn from the examples.

In a recent post, Michael wrote about a data breach at The Hartford insurance company. Data breaches are just one of the many types of IT department fumbles and mishaps.

The Hartford's data breach reminded me a lot of IBM's data breach earlier this year, when IBM lost my personal data. After reading the news reports in PC World and Cleveland.com (Note: State of Ohio Insurance Director Mary Jo Hudson is asking good questions), both companies' data breaches have some similarities:

1. Both companies lost backup data tapes
2. Both companies claim the data tapes were "lost" and that there's no evidence that the lost data has been misused
3. Both companies took more than a month to notify identity theft victims
4. The data tapes included sensitive personal data like SS#'s and driver's license numbers, and
5. Both companies offered the identity-theft victims one year of free credit monitoring

There are a couple differences. First, The Hartford was open and honest about the number of records exposed/stolen. To this day, IBM has never disclosed the number of records lost/stolen. It's difficult to trust a company that is not open and honest.

Second, The Hartford's data breach included lost/stolen customer information, while IBM's data breach included lost/stolen employee and former-employee information.

Now, back to the similarities...

It really seems dishonest when companies claim immediately after a data breach that there's no evidence of the data being stolen. First, the fact that they can't find the data tapes would be evidence enough. Second, identity criminals aren't going to announce that they've stolen or copied the tapes. Third, it'll be the identity-theft victims that discover the evidence, when identity thieves try to access their financial accounts or commit fraud in the ID-victims' names.

When companies make this claim of no evidence, they really need to be specific. Was their search for evidence only within the company? Did they approach law enforcement? Is their claim of 'no evidence' based on law enforcement's investigation?

Both companies seem to believe that one year of free credit monitoring is enough. It isn't. Identity theft victims have to monitor their financial and credit reports for a far longer time period than one year... like the rest of their lives. Both companies' data breach created this risk for the identity theft victims. So, the period of free credit monitoring should match the risk period.

In The Blogosphere: Chronicles of Dissent

A tip of the hat to the folks at Chronicles of Dissent blog for their coverage of my posts about correspondence with Attorney General Coakley's office about online breach notification. If you are a Massachusetts resident and you feel as I do, I hope that you'll contact Mass. Attorney General Coakley's office and tell them you want corporate breach notifications posted online.

In The Blogosphere: Savvy Gal

A tip of the hat to Wendy Darcy at her Savvy Gal blog for coverage of my posts about correspondence with Attorney General Coakley's office about online breach notification. Wendy posts some really helpful tips for working women about how to navigate the corporate world and their career.

Celebrating 3 Months - Top 10 Posts!

First, I'd like to welcome new I've been Mugged readers. About 90 days ago, I started this blog and so much has happened. This post explains why I started this blog.

To celebrate, I thought that I'd share the Top 10 Most Popular Posts based on what readers have viewed most:*

1. Kroll's Offering From IBM Deserves Scrutiny: an analysis of the IBM-arranged credit monitoring service from Kroll
2. What Does Your C.L.U.E. Insurance Report Say About You?: a report most consumers are unaware of, and information about Choicepoint
3. Data Breach Humor: we hope that IT and HR professionals don't manage data breaches like this!
4. TJX's Offer To It's ID-Theft Victims Deserves Scrutiny: several bloggers analyze TJX's out-of-court settlement and its offer to ID-theft victims
5. A Conversation With IBM (Part 1): I confront IBM with questions about its data breach and its corporate response
6. Apparently [the data tapes] fell off the back of a truck…: a review of the news coverage about IBM's data breach
7. Is TD Ameritrade Doing Right By Its Customers After Its Security Breach?: a review of TD Ameritrade's response to its data breach
8. Identity Thieves Operate Quickly: a case study involving a coworker
9. Opt-out Resources for Consumers: 4 resources every consumer should know and use to protect their identity
10. (Tie) New Hampshire Does It Right and Fraud Alerts: NH does something which few states do, and a discussion of the Fraud Alert tool and its weaknesses

* Thanks to Feed Burner and Google Analytics for making this report possible.

In the News

During the past few months, I've learned that after a data breach with sensitive personal data (e.g., name, address, birthdate, SS#), the affected company usually offers its affected employees, former employees, or customers one year of free credit monitoring service. An article in the Friday August 31 American Banker (AB) publication explored the best features for a credit monitoring service. The contents of that credit monitoring service offer seems to vary from company to company.

In the article, AB reporter Daniel Wolfe quoted several representatives from IBM, Kroll, Gartner (a market research company), Certegy, and me -- author of I've Been Mugged. Mr. Wolfe wrote a balanced article including a variety of perspectives about credit monitoring services.

In the article, representatives from IBM and Gartner emphasized that the value for ID-theft victims is with credit restoration services rather than credit monitoring:

"This is more than just credit monitoring," said Fred McNeese, an IBM spokesman, in an interview. "In the event that the loss was linked to credit theft, then it's working with Kroll to restore a person's identity." Avivah Litan, a vice president and research director at Gartner Inc., a market research company in Stamford, Conn., said most companies put little thought into nonstandard fraud monitoring services. She said IBM made a good pick in Kroll. "Credit restoration is very labor-intensive," and getting a credit report is not, she said."

No doubt. If identity thieves have stolen your personal data and have already hacked into one or more of your financial accounts (e.g., stole money, or gained credit or loans in your name), then yes -- you need help restoring your credit, your finances, and your identity. And credit restoration services are what an ID-theft victim needs in this situation.

If your data has been exposed by a data breach -- but nothing stolen or hacked yet -- then you need credit monitoring. There's nothing to fix or restore (yet). Credit restoration service becomes critical after identity thieves access your financial accounts and steal credit or money.

Credit monitoring is also important for ID-theft victims who are novices -- they haven't read their credit report recently, or never. Many people I've talked or traded e-mails with haven't read their credit report recently.

Yes, identity thieves operate quickly and the financial damage may happen within hours after the theft of personal information... making credit restoration necessary immediately. However, with corporate data breaches, it may take weeks or months for identity thieves to de-code encrypted tapes; or the stolen personal data may be resold among several thieves before it is used criminally. If you study the TJX data breach, you'll see that thieves who weren't the original hackers were arrested many months (or years) later; personal data clearly was resold among identity thieves in the US and in other countries. And, this theft fact extends the risk window.

I encourage I've Been Mugged readers to read the American Banker article online (registration required). To register, the AB site will ask you to either subscribe to the magazine or try the the 2-week free trial account option.

I wish that the article had given more focus on the duration of the free credit monitoring services offer. I haven't seen much discussion in the literature about what the optimal duration is. Usually, companies with a data breach offer one year of free credit monitoring services to affected individuals (e.g., employees, former employees, and customers). I haven't seen any literature or research about whether all affected individuals receive the same offer. I wonder if senior executives in the company receive the same credit monitoring offer as lower-level employees.

Mr. Wolfe's article accurately stated that I believe that the duration of free credit monitoring services should match the risk period... which is far longer than one year. Why? First, there's no time limit to how long identity thieves will (or will attempt to) abuse your personal data. Second, the company's data breach caused the risk, not the ID-theft victim's actions.

Any free credit monitoring services duration that is shorter than the risk period effectively shifts the burden (and the cost) from the company to the ID-theft victim. In the case of a company data breach, that burden-shifting is unfair, in my opinion.

What do you think? Is one year an appropriate duration for free credit monitoring services after a data breach? What do you think are the best features of a credit monitoring service? You can take our survey located in the column on the right.

Next entry: consumer attitudes about data breaches

In The News

InformationWeek Magazine's Security Weblog featured I've Been Mugged in an August 6, 2007 article titled "IBM Lost His Data... A Follow Up Story by Michael Singer. (The article also appears at Family and Twist.) Even though I'd written to InformationWeek via e-mail, I was pretty surprised by the attention I've Been Mugged received. Frankly, I haven't been blogging that long. So I'd publicly like to thank Mr. Singer for his article.

Mr. Singer's article emphasized many of the points from my July conversation with IBM. The Pogo Was Right blog also covered the InformationWeek article.

Some excerpts from InformationWeek's Security blog:

"George is an ID theft victim whose personal data was potentially exposed after an incident involving IBM. While IBM has graciously extended its hand to help fix the problem, George hasn't been completely happy with how things are turning out. His story may have lessons for the rest of us."

"IBM spokesman Fred McNeese was generous enough to answer that George previously worked for Lotus Development Corp. prior to IBM purchasing it. IBM's human resource records would have come over to IBM as part of the purchase. Fred also said that "Yes, IBM is still doing business with the vendor involved in the incident," but declined to go further."

Mr. Singer makes points which cannot be over-emphasized:

"But what have we learned by George's experience? First off, even if you no longer work for a company, it is very likely that your data will. And... your permanent record could wind up in the hands of another corporation and it may be months before you hear about your information being compromised. Does this mean that we all need to be diligent on how even our former companies are faring? That could be problematic in an environment where workers change jobs frequently and consolidation of companies has become commonplace."

"Secondly, hiring the same consulting company both for IBM's corporate investigation needs and as a credit-monitoring service is not illegal or unethical, but it may raise some eyebrows with the people you are trying to help."

Next entry: what does your C.L.U.E. insurance report say about you?