47 posts categorized "Outsourcing" Feed

Why The IRS Gave Equifax A No-Bid Contract Extension

You've probably heard the news. The Internal Revenue Service (IRS) gave a no-bid contract to Equifax, even after knowing about the credit reporting agency's massive data breach and arguably lackadaisical data security approaches by management.

Why would the IRS do this? The contract's synopsis in the Federal Business Opportunities (FBO) site stated on September 30:

"This action was to establish an order for third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service. A sole source order is required to cover the timeframe needed to resolve the protest on contract TIRNO-17-Z-00024. This is considered a critical service that cannot lapse."

C/Net explained the decision and sequence of key events:

"The IRS already had enough trouble dealing with tax fraud, losing $5.8 billion to scammers in 2013... The contract, first reported by Politico,... describes the agreement as a "sole source order," calling Equifax's help a "critical service." When it comes to credit monitoring, there are really only three major names in the US: Equifax, Experian and TransUnion. Experian has also suffered a breach... The IRS actually awarded its authentication service contract to another company in July, Jeffrey Tribiano, the agency's deputy commissioner for operations support told members of Congress. Equifax protested losing the contract to the US Government Accountability Office on July 7, according to documents. The office will decide on the protest by October 16. Until then, the IRS could not move onto its new partner. That meant that when the IRS' old contract with Equifax was supposed to expire on Friday (Sept. 29), Tribiano said, millions of Americans would not have been able to verify their identity with the agency for more than two weeks."

Wow! So, the IRS was caught between a rock and a hard place... or "caught between a rock and a hacked place" as C/Net described. Apparently, consumers taxpayers are also caught.

Once again, another mess involving Equifax gives consumers that "I've been mugged" feeling.


Data Breach Exposes Information Of Millions Of Verizon Customers

Verizon logo A data breach at Verizon has exposed the sensitive information of millions of customers. ZD Net reported:

"As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of NICE Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address."

Many businesses use cloud services vendors  -- Amazon Web Services and other vendors -- to outsource the storage of customers' information in online databases. While the practice isn't new, a problem is that customers aren't always informed of the business practice using their sensitive information.

Founded in 1986, NICE Systems has 3,500 employees, serves about 25,000 customers in 150 countries, and provides services to 85 percent of Fortune 100 companies. The exact number of affected Verizon customers is disputed.

The security firm Upguard found the unprotected cloud-based storage server:

"Upguard's Cyber Risk Team can now report that a mis-configured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon. (UPDATE: July 12, 3 PM PST - Both NICE Systems and Verizon have since confirmed the veracity of the exposure, while a Verizon spokesperson has claimed that only 6 million customers had data exposed)."

Whether the total number of breach victims is 6 or 14 million customers, neither is good. The phrase "account details" is troubling. That could mean anything from e-mail addresses to payment information to residential addresses, or more.

Upguard's announcement added:

"Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.

Finally, this exposure is a potent example of the risks of third-party vendors handling sensitive data... Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises."

Agreed. This outsourcing business practice may be profitable for all companies involved, but the outsourcing practice does not decrease the risks. Not good. Mis-configured cloud servers should not happen. Not good. The event raises the question: when has this happened before, but went undetected?

Verizon released a statement about the incident:

"... an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.

By way of background, the vendor was supporting an approved initiative to help us improve a residential and small business wireline self-service call center portal and required certain data for the project. The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area.

To further clarify, the data supports a wireline portal and only includes a limited number of cell phone numbers for customer contact purposes. In addition, to the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts..."

Typically, after a breach companies hire independent security experts to investigate breaches and the contributing causes. Verizon's announcement did not state who, if anyone, it hired to perform a post-breach investigation nor when. So, according to Verizon: no big deal. No problem. Hmmmmm.

Reportedly, Upguard notified Verizon about the breach on June 13, and the breach was fixed on June 22. Upguard added:

"The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling."

Troubling, indeed. What took Verizon (and/or Nice Systems) so long? Verizon's statement didn't say. And what is Verizon (and/or NICE Systems) doing so this type of breach doesn't happen again? I look forward to upcoming explanations by both companies.

Readers: what are your opinions of this data breach? Of how long it took Verizon to fix things? Of the outsourcing practice? Verizon customers:

  • Is Verizon doing enough to protect your sensitive data?
  • Should affected customers be notified directly?
  • Have you received a breach notice from Verizon? If so, share some of its details.

Dozens Of Uber Employees Fired Or Investigated For Harassment. Uber And Lyft Drivers Unaware of Safety Recalls

Uber logo Ride-sharing companies are in the news again and probably not for the reasons their management executives would prefer. First, TechCrunch reported on Thursday:

"... at a staff meeting in San Francisco, Uber executives revealed to the company’s 12,000 employees that 20 of their colleagues had been fired and that 57 are still being probed over harassment, discrimination and inappropriate behavior, following a string of accusations that Uber had created a toxic workplace and allowed complaints to go unaddressed for years. Those complaints had pushed Uber into crisis mode earlier this year. But the calamity may be just beginning... Uber fired senior executive Eric Alexander after it was leaked to Recode that Alexander had obtained the medical records of an Uber passenger in India who was raped in 2014 by her driver."

"Recode also reported that Alexander had shared the woman’s file with Kalanick and his senior vice president, Emil Michael, and that the three men suspected the woman of working with Uber’s regional competitor in India, Ola, to hamper its chances of success there. Uber eventually settled a lawsuit brought by the woman against the company..."

News broke in March, 2017 about both the Recode article and the Grayball activity at Uber to thwart local government code inspections. In February, a former Uber employee shared a disturbing story with allegations of sexual harassment.

Lyft logo Second, the investigative team at WBZ-TV, the local CBS afiliate in Boston, reported that many Uber and Lyft drivers are unaware of safety recalls affecting their vehicles. This could make rides in these cars unsafe for passengers:

"Using an app from Carfax, we quickly checked the license plates of 167 Uber and Lyft cars picking up passengers at Logan Airport over a two day period. Twenty-seven of those had open safety recalls or about 16%. Recalls are issued when a manufacturer identifies a mechanical problem that needs to be fixed for safety reasons. A recent example is the millions of cars that were recalled when it was determined the airbags made by Takata could release shrapnel when deployed in a crash."

Both ride-sharing companies treat drivers as independent contractors. WBZ-TV reported:

"Uber told the [WBZ-TV investigative] Team that drivers are contractors and not employees of the company. A spokesperson said they provide resources to drivers and encourage them to check for recalls and to perform routine maintenance. Drivers are also reminded quarterly to check with NHTSA for recall information."

According to the president of the Massachusetts Bar Association Jeffrey Catalano, the responsibility to make sure the car is safe for passengers lies mainly with the driver. But because Uber and Lyft both advertise their commitment to safety on their websites, they too could be held responsible."


Federal Reserve Survey of Experiences of Younger Workers

The Federal Reserve Board (FRB) recently released the results of its survey of younger workers ages 18 to 30 with data through 2015. The survey found that younger workers overall:

"... experienced higher rates of unemployment and lower rates of labor force participation than the general population for at least two decades, and the Great Recession exacerbated this phenomenon. Despite a substantial labor market recovery from 2009 through 2014, vulnerable populations—including the nation’s young adults—continue to experience higher rates of unemployment. Changes in labor market conditions, including globalization and automation, have reduced the availability of well-paid, secure jobs for less-educated persons, particularly those jobs that provide opportunity for advancement. Furthermore, data suggest that young workers entering the labor market are affected by a long-running increase in the use of “contingent” or “alternative” work arrangements, characterized by contracted, part-time, temporary, and seasonal work."

Specific findings about younger workers' attitudes:

"In 2015, the majority of young adults (61 percent) are optimistic about their future job opportunities, showing an increase in optimism from 2013 (45 percent)... the likelihood that a young adult is optimistic about future job opportunities increases with higher levels of education... young adults continue to have a strong preference for steady employment (62 percent) over higher pay (36 percent)... Among respondents who prefer steady employment, 80 percent would rather have one steady job than a stream of steady jobs for the next five years...

Most young adults are not sure how their standard of living will compare with their parents’ standard of living. Young adults with at least one parent with a bachelor’s degree (or higher) are more likely to believe their standard of living will be lower than their parents (4 percent) when compared with young adults whose parents have a high school education or less (1 percent)...

Specific findings about younger workers' experiences:

"28 percent of respondents are currently enrolled as students in a certificate or degree program. Most students are enrolled in degree programs... most undergraduate students are identified “nontraditional” because they are over age 23, enrolled in school part time, working full time, and/or financially independent. 10 percent of respondents are “non-completers,” meaning they are not currently enrolled in a certificate or degree program they started... 62 percent of respondents with post-secondary education worked while in school to finance all or part of their most recent education. 52 percent of respondents with post-secondary educational experience have parents that contributed financially to their education. 46 percent of respondents incurred debt to pay for some portion of their education or training...

41 percent of respondents believe they have the level of education and training needed for the type of job that they would like to hold in the next five years... 66 percent of young adults received information about jobs and careers during high school. And, 69 percent of young adults received such information in college...

Less than half (45 percent) of employees work in a career field that is closely related to their educational and training background... Many young adults gained early work experience during high school, college, or both. 53 percent of young adults had a paid job during high school, and 77 percent of young adults had a paid job during college..."

A key takeaway: about 30 percent of young adults did not receive information about jobs and careers in high school nor college. That seems to be an area the educational sector must improve upon.

4,135 potential respondents were contacted for the 2015 survey, and 2,035 completed surveys (49 percent response rate). FRB staff designed the survey, which was administered by GfK, an online consumer research company.

More notable statistics from the survey: about 69 percent of survey respondents have some form of paid employment, up from 60 percent in 2013. 63 percent of employees held a single full-time job during the past year, and 18 percent of employees held multiple full-time jobs during the past year. Profile information about employed younger workers:

"78 percent of employees have a permanent/long-term job... 75 percent of employees in the survey have a full-time job... Among part-time employees surveyed, 49 percent were identified as underemployed, as they are working part time because of economic conditions. Meanwhile, 42 percent of part-time employees prefer part-time work... The percent of young workers who have health insurance increased from 2013 (70 percent) to 2015 (82 percent). Likewise, the percent of young workers who received paid time off for sick leave, holidays, or both from any of their paid jobs increased from 2013 (59 percent) to 2015 (62 percent)...

As adults, 43 percent of employees have formed a new household with their immediate family (i.e., spouse/partner), and 20 percent have formed a new household alone or with a roommate..."

Self-sufficiency is important. The report found:

"... 73 percent of employees are able to cover their monthly household expenses with their household income. Meanwhile, 22 percent of employees report that they are sometimes able to cover their monthly household expenses, and 4 percent are not able to cover their monthly household expenses at all... Among employees who are not able to cover their household expenses some or all of the time, 64 percent reduce their monthly expenses to meet the challenge, 56 percent do not pay some bills, 54 percent borrow money from family, 46 percent use their credit cards, 41 percent use savings, and 16 percent borrow from friends.

A key consideration regarding self-sufficiency is the ability of a household to withstand financial disruptions. Among young workers, the ability to go without a paycheck temporarily improved between 2013 and 2015. The percent of young workers who can pay their living expenses if out of work for four weeks improved from 38 percent in 2013 to 45 percent in 2015..."

The report cited 4 policy implications to address the findings:

  1. Improve Alignment between Education and the Labor Market
  2. Increase Opportunities for Non-degree Education
  3. Provide Assistance and Protections for Workers with Alternative Work Arrangements
  4. Seek Opportunities to Improve Job Growth

There is plenty of information in the 120-page report, which is available at the FRB site and here (Adobe PDF; 1,190.2K bytes).


Big Data Brokers: Failing With Privacy

You may not know that hedge funds, in both the United Kingdom and in the United States, buy and sell a variety of information from data brokers: mobile app purchases, credit card purchases, posts at social networking sites, and lots more. You can bet that a lot of that mobile information includes geo-location data. The problem: consumers' privacy isn't protected consistently.

The industry claims the information sold is anonymous (e.g., doesn't identify specific persons), but researchers have it easy to de-anonymize the information. The Financial Times reported:

"The “alternative data” industry, which sells information such as app downloads and credit card purchases to investment groups, is failing to adequately erase personal details before sharing the material... big data is seen as an increasingly attractive source of information for asset managers seeking a vital investment edge, with data providers selling everything from social media chatter and emailed receipts to federal lobbying data and even satellite images from space..."

One part of the privacy problem:

“The vendors claim to strip out all the personal information, but we occasionally find phone numbers, zip codes and so on,” said Matthew Granade, chief market intelligence officer at Steven Cohen’s Point72. “It’s a big enough deal that we have a couple of full-time tech people wash the data ourselves.” The head of another major hedge fund said that even when personal information had been scrubbed from a data set, it was far too easy to restore..."

A second part of the privacy problem:

“... there is no overarching US privacy law to protect consumers, with standards set individually by different states, industries and even companies, according to Albert Gidari, director of privacy at the Stanford Center for Internet and Society..."

The third part of the privacy problem: consumers are too willing to trade personal information for convenience.


High Tech Companies And A Muslim Registry

Since the Snowden disclosures in 2013, there have been plenty of news reports about how technology companies have assisted the U.S. government with surveillance programs. Some of these activities included surveillance programs by the U.S. National Security Agency (NSA) including innocent citizens, bulk phone calls metadata collection, warrantless searches by the NSA of citizen's phone calls and emails, facial image collection, identification of the best collaborator with NSA spying, fake cell phone towers (a/k/a 'stingrays') used by both federal government agencies and local police departments, and automated license plate readers to track drivers.

You may also remember, after Apple Computer's refusal to build a backdoor into its smartphones, the U.S. Federal Bureau of Investigation bought a hacking tool from a third party. Several tech companies built the reform government surveillance site, while others actively pursue "Surveillance Capitalism" business goals.

During the 2016 political campaign, candidate (and now President Elect) Donald Trump said he would require all Muslims in the United States to register. Mr. Trump's words matter greatly given his lack of government experience. His words are all voters had to rely upon.

So, The Intercept asked several technology companies a key question about the next logical step: whether or not they are willing to help build and implement a Muslim registry:

"Every American corporation, from the largest conglomerate to the smallest firm, should ask itself right now: Will we do business with the Trump administration to further its most extreme, draconian goals? Or will we resist? This question is perhaps most important for the country’s tech companies, which are particularly valuable partners for a budding authoritarian."

The companies queried included IBM, Microsoft, Google, Facebook, Twitter, and others. What's been the response? Well, IBM focused on other areas of collaboration:

"Shortly after the election, IBM CEO Ginni Rometty wrote a personal letter to President-elect Trump in which she offered her congratulations, and more importantly, the services of her company. The six different areas she identified as potential business opportunities between a Trump White House and IBM were all inoffensive and more or less mundane, but showed a disturbing willingness to sell technology to a man with open interest in the ways in which technology can be abused: Mosque surveillance, a “virtual wall” with Mexico, shutting down portions of the internet on command, and so forth."

The response from many other companies has mostly been crickets. So far, only executives at Twitter have flatly refused, and included with its reply a link to its blog post about developer policies:

"Recent reports about Twitter data being used for surveillance, however, have caused us great concern. As a company, our commitment to social justice is core to our mission and well established. And our policies in this area are long-standing. Using Twitter’s Public APIs or data products to track or profile protesters and activists is absolutely unacceptable and prohibited.

To be clear: We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement — or any other entity — to use Twitter data for surveillance purposes. Period. The fact that our Public APIs and Gnip data products provide information that people choose to share publicly does not change our policies in this area. And if developers violate our policies, we will take appropriate action, which can include suspension and termination of access to Twitter’s Public APIs and data products.

We have an internal process to review use cases for Gnip data products when new developers are onboarded and, where appropriate, we may reject all or part of a requested use case..."

Recently, a Trump-Pence supporter floated this trial balloon to justify such a registry:

"A prominent supporter of Donald J. Trump drew concern and condemnation from advocates for Muslims’ rights on Wednesday after he cited World War II-era Japanese-American internment camps as a “precedent” for an immigrant registry suggested by a member of the president-elect’s transition team. The supporter, Carl Higbie, a former spokesman for Great America PAC, an independent fund-raising committee, made the comments in an appearance on “The Kelly File” on Fox News...

“We’ve done it based on race, we’ve done it based on religion, we’ve done it based on region,” Mr. Higbie said. “We’ve done it with Iran back — back a while ago. We did it during World War II with Japanese.”

You can read the replies from nine technology companies at the Intercept site. Will other companies besides Twitter show that they have a spine? Whether or not such a registry ultimately violates the U.S. Constitution, we will definitely hear a lot more about this subject in the near future.


Millions Of Android Smartphones And Apps Infected With New Malware, And Accounts Breached

Security researchers at Check Point Software Technologies have identified malware infecting an average of 13,000 Android phones daily. More than 1 million Android phones have already been infected. Researchers named the new malware "Gooligan." Check Point explained in a blog post:

"Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more. Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year... Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74% of in-market devices today. About 57% of these devices are located in Asia and about 9% are in Europe... We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores. These stores are an attractive alternative to Google Play because many of their apps are free, or offer free versions of paid apps. However, the security of these stores and the apps they sell aren’t always verified... Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began..."

Check Point chart about Gooligan malware. Click to view larger version This Telegraph UK news story listed 24 device manufacturers affected: Archos, Broadcom, Bullitt, CloudProject, Gigaset, HTC, Huaqin, Huawei, Intel, Lenovo, Pantech, Positivio, Samsung, Unitech, and others.The Check Point announcement listed more than 80 fake mobile apps infected with the Gooligan malware: Billiards, Daily Racing, Fingerprint unlock, Hip Good, Hot Photo, Memory Booster, Multifunction Flashlight, Music Cloud, Perfect Cleaner, PornClub, Puzzle Bubble-Pet Paradise, Sex Photo, Slots Mania, StopWatch, Touch Beauty, WiFi Enhancer, WiFi Master, and many more.

Check Point is working closely with the security team at Google. Adrian Ludwig, Google’s director of Android security, issued a statement:

"Since 2014, the Android security team has been tracking a family of malware called 'Ghost Push,' a vast collection of 'Potentially Harmful Apps' (PHAs) that generally fall into the category of 'hostile downloaders.' These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware... Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we've worked closely with Check Point... to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps... Because Ghost Push only uses publicly known vulnerabilities, devices with up-to-date security patches have not been affected... We’ve taken multiple steps to protect devices and user accounts, and to disrupt the behavior of the malware as well. Verified Boot [https://source.android.com/security/verifiedboot/], which is enabled on newer devices including those that are compatible with Android 6.0, prevents modification of the system partition. Adopted from ChromeOS, Verified Boot makes it easy to remove Ghost Push... We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future."

How the gooligan malware works by Check Point. Click to view larger version Android device users can also have their devices infected by phishing scams where criminals send text and email messages containing links to infected mobile apps. News about this latest malware comes at a time when some consumers are already worried about the security of Android devices.

Recently, there were reports of surveillance malware installed the firmware of some Android devices, and and the Quadrooter security flaw affecting 900 million Android phones and tablets. Last month, Google quietly dropped its ban on personally identifiable web tracking.

News about this latest malware also highlights the problems with Google's security model. We know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones. Hopefully, the introduction last month of the Pixel phone will address those problems. A better announcement would have also highlighted security improvements.

For the Gooligan malware, Check Point has develop a web site for consumers to determine if their Google account has already been compromised:  https://gooligan.checkpoint.com/. Check Point advised consumers with compromised accounts:

"1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”

2. Change your Google account passwords immediately after this process."

A word to the wise: a) shop for apps only at trustworthy, reputable sites; b) download and install all operating-system security patches to protect your devices and your information; and c) avoid buying cheap phones that lack operating system software updates and security patches.


Can Apple Move iPhone Production To The United States?

President Elect Donald Trump and his incoming administration have promised to "make America great again." That promise included a key policy position to move manufacturing -- and its jobs -- back to the United States; in particular move production of Apple iPhones to the USA:

"we have to bring Apple — and other companies like Apple — back to the United States. We have to do it. And that’s one of my real dreams for the country, to get … them back. We have a great capacity in this country."

Well, can it be done? And if so, what might the consequences be?

Nikkei Asia Review reported:

"Key Apple assembler Hon Hai Precision Industry, also known as Foxconn Technology Group, has been studying the possibility of moving iPhone production to the United States... Apple asked both Foxconn and Pegatron, the two iPhone assemblers, in June to look into making iPhones in the United States..."

Experts warn that moving production is complex and difficult. Not only must assembly operations be relocated, but new facilities must be located and built, plus nearby suppliers and transport services found, moved, and contracts obtained. During the globalization trend of the last 35 years, many manufacturing facilities in the USA were closed, destroyed, and replaced with other businesses. Plus, the remainaing facilities may be technologically obsolete. After solving these issues, then production workers must be hired.

With any major change, there often are unintended consequences. A possible consequence:

"Making iPhones in the U.S. means the cost will more than double... According to research company IHS Markit, it costs about $225 for Apple to make an iPhone 7 with a 32GB memory, while the unsubsidized price for such a handset is $649..."

Prices for unlocked iPhone7 with 32 GB phones on eBay range from $700 to $1,000.00. 128 and 256 GB versions cost even more. Would consumers be willing to pay higher prices, say 50 percent more, or even double?


Yahoo Confirms Massive Data Breach. Unclear If Users At Its Outsourcing Clients Were Also Affected

Yahoo logo After reports about a rumored announcement, Yahoo confirmed late on Thursday a massive data breach affecting half a billion users -- 500 million persons. Yahoo believes the breach was performed by a "state-sponsored actor."

Data elements exposed and stolen during the breach include full names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, security questions and answers. The breach dated back to 2014. This is very serious, and by far the largest breach ever. The data elements stolen facilitate spam and a variety of scams; plus access to email contacts such as clients, customers, and patients.

Yahoo's breach announcement stated:

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter..."

Yahoo is in the process of notifying affected persons. Affected users should change their passwords, security questions, and answers.

The breach announcement did not state if users at outsourcing clients were affected. Other companies and entities can outsource their e-mail services to Yahoo, or to other e-mail providers offering similar services. One such company appears to be AT&T. The "AT&T Email Basics" page (see image below) references a co-branded AT&T-Yahoo website for AT&T customers to check their e-mail.

AT&T Email Basics page references Yahoo site for email. Click to view larger version I reached out to AT&T for a comment. A reply was not received by press time. If its email users were affected by the breach, then those users will probably want to know who is going to assist them, and what assistance will be offered.

Given the pending acquisition of Yahoo by Verizon, several AT&T customers already discussed in an online forum concerns about what might happen to their e-mail service operated by a competitor. (Verizon said on Thursday it learned about the breach two days ago.) If users at outsourcing clients were also affected by the breach, then this might add to their uncertainty.

If you received a breach notice from Yahoo, what is your opinion of the response?


Digital Economy Workers Fight For Their Rights And Fair Treatment

The digital economy includes a variety of industries, ranging from e-commerce and auction sites (e.g., eBay, Etsy) to ride-sharing services (e.g., Uber, Lyft), and more. A lot of people love them, and participate as consumers, sellers, or workers. A recent article New York Times article about workers in the digital economy caught my attention:

"... many workers have felt squeezed and at times dehumanized by a business structure that promises independence but often leaves them at the mercy of increasingly powerful companies. Some are beginning to band together in search of leverage and to secure what they see as fairer treatment from the platforms that make the work possible."

Uber logo The article described a growing awareness among workers:

“We started realizing we’re not contractors, we’re more like employees,” said Berhane Alemayoh, one of the UberBlack drivers in Dallas. “They tell us what kind of car to drive. They kick you out if a customer accused you of not having a clean car. They started to tighten the rope. Gradually, we can’t breathe any more.”

In June, the California Labor Commission ruled that Uber drivers are employees, not contractors. In December, the Seattle City Council approved an ordinance allowing ride-sharing drivers to unionize. That was a first.

Uber drivers in New York City have protested. Clearly, rates for drivers must exceed the costs of auto payments, insurance, government fees, maintenance, repairs, gasoline, and commissions due the ride-sharing company. Otherwise, it's pointless. Learn more about UberBlack and how it differs from Uber X. Learn about UberSelect, UberBlack, and UberXL in Los Angeles.

Postmates logo The article cited more examples, including compensation and workers' safety issues:

"A group of couriers who find work on the platform Postmates is waging a campaign to create an “I’m done after this delivery” button because they worry that turning down jobs will affect how many future assignments they receive... The National Domestic Workers Alliance, which organizes nannies and housekeepers, recently produced what it calls the Good Work Code, which it has urged gig economy companies to adopt. “They would be dispatched to a home that didn’t feel safe, but would be hesitant to exit themselves from that situation because it might affect their ratings...”

National Domestic Workers Alliance logo Historically, independent contractors negotiate rates with businesses. Employees don't. Independent contractors, often called freelance workers, typically set their own hours and work approach. Employees don't. Employers typically tell employees when to work, where to work, how to do the job, specify the materials they must use, and dictate the pay rate. Perhaps, most importantly:

"... to the extent that the Dallas drivers have been successful, one crucial advantage is that they were able to organize in person rather than depend exclusively on the Internet and social media. That also helps explain the success of the campaign in Seattle, where Uber had previously reversed a rate cut after facing pressure from drivers..."

Experts have observed:

" "There’s a sense of workplace identity and group consciousness despite the insistence from many of these platforms that they are simply open ‘marketplaces’ or ‘malls’ for digital labor," said Mary L. Gray, a researcher at Microsoft Research and professor in the Media School at Indiana University who studies gig economy workers."

Who are these freelance workers? Forbes Magazine explained:

"... 53 million Americans, or 34% of the population, qualify as freelancers. Not all of them make their living exclusively as freelancers. The number includes 14.3 million workers who would be called “moonlighters”—people who have a primary, traditional job that pays benefits, and supplement their income with extra work, like a full-time tech support worker... Of the remaining 38.7 million, 21.1 million are what the survey calls “traditional” freelancers who do temporary work on a project basis. Some 9.3 million have multiple sources of income which can include a part-time job like working 20 hours a week at a dentist’s office. Another 5.5 million are temporary staffers who work for a single employer but not on a permanent basis that comes with benefits, like a business strategy consultant working for a startup on a contract that can include months of employment. Then there are the 2.8 million business owners who have between one and five employees..."

The issues aren't going away, as companies continue to outsource work globally, not only in the United States. So, you probably know people who work as freelancers. I know many in graphic design, website and mobile app development, and copy writing. Maybe you're a freelancer. I am.

Like any other business, companies in the digital economy merit watching by both freelancers and by customers. Nobody wants to support a business that mistreats its workers.

The examples cited in the newspaper highlight the fact that there's strength in numbers. Companies organize into trade associations, or industry trade groups, to promote their interests and influence government policies through federal, state, and local politicians. Workers should have the same freedoms to organize, if they choose. Both are natural (and necessary) components of a free-market capitalist system.

Don't like organizing? You don't have to join any group. However, when bad things happen in the workplace and you're unable to solve it alone, you may regret having rejected the support of a group. What are your opinions?


You've Got Email Trackers: A Tool Marketers Use To Spy On Consumers

The New York Times told the story of an executive who received a call at 10:30 pm on his smartphone from a marketer, minutes after opening an e-mail message from the same marketer. Coincidence? The executive didn't think so, and after some investigation found that the marketer had planted a tracking mechanism in the e-mail message.

This marketer took e-mail marketing to the creepy zone. The marketer arrogantly assumed the executive, a) wouldn't mind the tracking and privacy invasion; and b) was agreeable to receiving a late-night phone call. Inappropriate. If the executive was driving his car, the late-night call could have created a distracted driving risk. Dangerous.

This marketer isn't alone. According to The New York Times:

"The trackers are traditionally offered by email marketing services like GetResponse and MailChimp. They have a legitimate use: to help commercial entities send messages tailored for specific types of customers. The New York Times, too, uses email trackers in its newsletters. The Electronic Frontier Foundation, a nonprofit that focuses on digital rights, estimates that practically every marketing email now contains some form of a tracker."

The e-mail tracking is possible because most users view HTML e-mail messages. One e-mail vendor's website home page highlights the industry's position:

Image of Sidekick home page. Click to view larger version.

Marketers want to know when, where, what device you use, and what link(s) you click on with their e-mails and advertisements. Yes, marketers should be able to evaluate their e-mail and marketing programs. At the same time, consumers have valid needs, often including privacy and the desire not to be tracked.

According to Pew Research, consumers perform a variety of tasks to thwart online tracking and data collection: delete browser cookies or browser history (59 percent), refuse to provide personal information irrelevant to the transaction (57 percent), set their browser to disable or turn off browser cookies (34 percent), and more. 86% of internet users have taken steps online to remove or mask their digital footprints. Plus, the growth in usage of ad-blockers by consumers highlights the desire not to be tracked (since many advertising networks contain tracking mechanisms):

"Between 15 to 17% of the U.S. population reportedly use ad blockers, and the number is double that for millennials. The numbers are even higher in Europe, and up to 80-90% in the case of specialty tech and gaming sites."

So, balance and respect are key. If marketers and advertisers are going to plant trackers in e-mail messages, then be honest and transparent: say so. Notify consumers. Provide opt-in mechanisms for consumers that don't mind the tracking.

Don't be that creepy marketer.

Will marketers act with respect and not go to the creepy, dark side? History suggests otherwise, given the litany of covert technologies marketers and advertisers have used to track consumers online: browser cookies, zombie cookies, zombie e-tags, Flash cookies to regenerate browser cookies users have deleted, super cookiescanvas finger-printing, and more recently cross-device tracking.

Aware consumers realize that surveillance isn't performed only by government spy agencies. Private-sector corporate marketers and advertisers do it, too. The New York Times article discussed one of the e-mail trackers used:

"... MailTrack, which is a plug-in for Google’s Chrome browser that can quickly insert a hidden tracking pixel into a message..."

Unfortunately, both the good guys and bad guys (e.g., spammers, phishers) use e-mail trackers. Experts advise consumers to expect trackers planted in messages, and:

"A basic method for thwarting some email trackers involves disabling emails from automatically loading images, including invisible tracking pixels. But that doesn’t defeat all trackers, which are also hiding in other places like fonts and web links."

Ugly Email and Trackbuster, are tools consumers can use to detect trackers embedded in e-mail messages. The former is a Gmail plug-in.

What are your opinions of e-mail trackers? What software do you use to detect e-mail trackers?

[Editor's Note: an earlier version of this post linked the "cross-device tracking" text to a CBS News article. That link was updated to a more descriptive article at Ars Technica.]


Medical Informatics Engineering, Concentra, Employers, Data Sharing, And Privacy

Medical Informatics Engineering logo After receiving the breach notice from Medical Informatics Engineering (MIE) via postal mail, my wife and I wondered how MIE acquired her information. MIE's breach notice mentioned Concentra, a healthcare company we haven't and don't do business with. Today's blog post describes what we learned during our search for answers, and how consumers aren't in control of our sensitive personal information.

Background

The breach was massive. The Journal Gazette reported 3.1 million breach notices sent to affected consumers nationwide. The U.S. Department of Health & Human Services listed 3.9 million consumers affected.  Readers of this blog have reported breach notices received via postal mail in Alabama, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Maryland, Massachusetts, New Hampshire, Tennessee, Texas, and the District of Columbia. Concentra was one of many health care providers involved.

During our search for answers, my wife contacted her employer and a local clinic. Neither does business with No More Clipboard (MIE's cloud-based service) or with Concentra. On her behalf I contacted Concentra's nearest office in Wilmington, Massachusetts. The office's administrative person searched for information about my wife in Concentra's database. No record. The administrator referred me to regional human resources representative, who confirmed the breach and suggested that Concentra may have obtained my wife's information from data-sharing during a sales pitch with employers. We continued to look for firmer answers.

Select Medical logo The HR representative referred me to Edwin Bodensiek, the Vice President of Public Relations at Select Medical, the corporation that acquired Concentra in May, 2015. Select Medical's First Quarter 2015 10-Q Filing (Adobe PDF) explained:

"[Select Medical Holdings] announced on March 23, 2015 that MJ Acquisition Corporation, a joint venture that the Company has created with Welsh, Carson, Anderson & Stowe XII, L.P. (“WCAS”), has entered into a stock purchase agreement, dated as of March 22, 2015 (the “Purchase Agreement”), as buyer with Concentra Inc. (“Concentra”) and Humana Inc. (“Humana”) to acquire all of the issued and outstanding equity securities of Concentra from Humana. Concentra, a subsidiary of Humana, is a national health care company that delivers a wide range of medical services to employers and patients, including urgent care, occupational medicine, physical therapy, primary care, and wellness programs... For all of the outstanding stock of Concentra, MJ Acquisition Corporation has agreed to pay a purchase price of $1.055 billion..."

Humana had acquired Concentra in 2010. Now, Concentra is part of Select Medical. i contacted Mr. Bodensiek asking when, why, and how Concentra obtained my wife's sensitive personal information. My wife and I weren't sure we'd get any answers, and if so how long it would take.

What We Learned

After about a month, Mr. Bodensiek called with some answers. My wife had taken a temporary part-time job in February 2014 and that second employer used the Humana Wellness (e.g., Concentra) health care services. Mr. Bodensiek explained that the second employer sent an "eligibility file" to Concentra with data about its employees that were eligible for the employer-sponsored health care plan. That's when my wife's name, address, phone, and Social Security Number were transmitted to Concentra; and then to MIE, the electronic medical records vendor for Humana Wellness. Mr. Bodensiek described this as standard business practice.

My wife and I have health care coverage elsewhere, so she never had any intentions nor did not register for health care through this second employer. My wife's situation is not unique since five percent of the U.S. workforce works two or more jobs. (Vermont, South Dakota, Nebraska, Kansas, and Maine lead the nation with people working two or more jobs.) It's great that this second employer offered health care to its employees, but not so great that employees' sensitive information was shared regardless of whether or not the employees expressed an interest in coverage.

I'd like to publicly thank Mr. Bodensiek for his hard work and diligence. He didn't have to help, but he did. It gave us a good first impression of Select Medical. Hopefully, other breach victims have had success getting answers.

Implications And Consequences

Our experience highlights a business practice consumers should know: your employer may share your information with their health care provider whether you subscribe or not, and maybe without your knowledge. Maybe this sharing was for employees' convenience (e.g., faster, easier sign-up for health care), or for the employer's convenience (e.g., minimize processing effort and expense) by sending one, massive eligibility file. Regardless, the business practice has implications and consequences.

First, when an employer's administrative process sends to their health care vendor data about all employees (without an opt-out mechanism), then more data is shared than otherwise, and the process is arguably less private. Why? The health care provider receives and archives information about both subscribers and non-subscribers; patients and non-patients. A process based upon opt-in would be better and more private, since the data shared includes employees who want to sign up for their employer's health care plan. Simply, fewer employee records with sensitive data (e.g., name, address, phone, Social Security Number) are shared, and less data for the health care provider to archive and protect (and further share with a cloud vendor).

Regarding the MIE breach, eligibility-file-sourced data about my wife was archived by MIE. That means MIE archived eligibility-file data about many other employees. So, MIE's database includes data about health-care subscribers and non-subscribers; patients and non-patients. When data breaches happen, the stolen archived data about non-subscribers opens those non-subscribers to identity theft and fraud risks. How long will this data about non-subscribers be archived? When will data about non-subscribers be deleted? Select Media didn't say. I can only assume the archiving will continue as long as they decide, either solely or in combination with their employer clients.

Second, costs matter. The more data shared, the more records the health care provider and electronic records vendor must archive and protect. When data breaches happen, more data is lost and data breach costs (e.g., investigation, breach notification, identity protection services) are greater. A 2015 study by IBM found that the average total cost of a data breach was $3.8 million, up 23 percent from 2013. Given this high cost, you'd think that employers and health care providers would work together to minimize data sharing. Probably not as long as consumers bear the risks.

Third, if my wife had signed up for health care services with Concentra, then much more sensitive information would have been stolen in the MIE breach. One may argue who is to blame for the data security failure (e.g., breach), but at the end of the day: the employer hired Concentra, and Concentra hired MIE. There is enough blame to go around.

Fourth, the MIE breach highlights some of the places employees' sensitive information can be shared without their knowledge (or consent). If the MIE breach hadn't happened, would employees know their medical records were stored in the cloud? Would employees know about the eligibility-file sharing? One wonders. Employees deserve to know upfront.

Your sensitive personal information also moves when companies (e.g., health care providers, employers, cloud vendors) buy, sell, and merge with other companies. that includes your medical records. Since eligibility-file sourced data is archived, you don't have to be a health care plan subscriber or patient.

Fifth, for information to be private there must be control. The eligibility-file sharing suggests that employers have the control and not employees. Consumers like my wife have been taken steps to protect themselves and their sensitive information by locking down their credit reports with Security Freezes. That data protection is largely undone by eligibility-file sharing with health care providers. Not good.

Consumers need a comparable mechanism to lock down their medical records and prevent eligibility-file sharing. Without a mechanism, then consumers have no control over both their medical and personal information. Without control, consumers lack privacy. You lack privacy.

It will be interesting to watch how Select Medical manages its new acquisition. The Select Medical website lists these core values:

"We deliver superior quality in all that we do. At Select Medical, we set high standards of performance for ourselves and for others. We provide superior services to our patients. We continually strive to uphold and improve our reputation for excellence.

We treat others as they would like to be treated. At Select Medical, we treat each other with respect and promote a positive environment where people feel valued. We are honest and open in our relationships and straightforward in our communications.

We are results-oriented and achieve our objectives. At Select Medical, we are focused and decisive in achieving our objectives and helping others achieve theirs. We accept responsibility for our decisions and actions. We are accountable for using our time, talents and resources effectively."

My wife and I know how we want to be treated. We wanted to be treated with respect. We know how we want our sensitive personal and health information treated:

  • Don't collect it unless we're patients,
  • Don't archive it unless we're patients,
  • Don't share it without notice and consent. Consent must be explicit, specific, for a stated duration, and for specific purposes,
  • Don't collect and archive it if you can't protect it,
  • Be transparent. Provide clear, honest answers about breach investigations and data-sharing practices,
  • Don't try to trick us with promises of convenience,
  • Hold your outsourcing vendors to the same standards,
  • Don't make consumers assume the risk. You benefited from data sharing, so you pay the costs, and
  • Two years of credit monitoring is insufficient since the risk is far longer.

What are your opinions? Does the data sharing by employers bother you?


Leaked Documents From The Ashley Madison Data Breach Highlight The Company's Technology Vendors

The fallout continues from the data breach at infidelity website Ashley Madison. Besides several class-action lawsuits filed against Ashley Madison, Forbes magazine reported that stolen documents highlight the company's information technology (I.T.) vendor relationships:

"In response to challenges of the data’s authenticity, Impact Team began a second series of dumps, including what appears to be essentially all corporate records, including source code, internal business documents and corporate emails of Avid Life Media/Ashley Madison... Within those hundreds of thousands of documents is one entitled Areas of Concern – Customer Data (abbreviated in this article, AoC)... The needle in the treasure trove haystack of corporate data... In the AoC, the IT business practices of Avid/Ashley Madison began to emerge, including its relationships with third party vendors. New Relic is mentioned as one of three third party IT vendors to Avid. Also mentioned in that document as vendors are OnX (publicly reported as being an Ashley Madison vendor) and Redis/Memcached (alternative open source caching tools)... The AoC identifies New Relic as being a customer data “concern” (worry), by mentioning that it could employ “a hacker/bad actor” who could gain access to customer data. There was nothing in the AoC to indicate any reason to call out New Relic as a third party vendor presenting particular customer data security risks."

Assuming the leaked documents are accurate, one reason why this is important:

"The existence of third party IT vendors may be of interest to the increasing numbers of plaintiffs suing Avid and Ashley Madison. These plaintiffs have, to date, apparently not named these vendors as defendants."

Noel Biderman, the chief executive at Avid Life Media, Ashley Madison's parent company, resigned last week. The Wired article highlighted another reason:

"... the Missouri suit states that its anonymous plaintiff paid a $19 fee to have Ashley Madison delete her personal information from its servers but failed to deliver on that service."


Medical Informatics Engineering Breach Highlights Breach Notice, Privacy, And Cloud-Storage Issues

Medical Informatics Engineering logo In early June,  Medical Informatics Engineering (MIE) announced a data breach where unauthorized persons accessed its systems. The breach at MIE, an electronic health records vendor used by many health providers, exposed the sensitive Protected Health Information (PHI) of an undisclosed number of patients in several states. MIE began to notify during June its corporate clients. MIE began notifying affected patients on July 17.

The July 24, 2015 MIE press release about the breach

"FORT WAYNE, Ind.--(BUSINESS WIRE--On behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified."

No More Clipboard logo NoMoreClipboard.com (NMC) is a cloud-based service by MIE for storing patients' health records, and making the records easily accessible by a variety of devices: desktops, laptop,s tablets, and smart phones. The service is sold to doctors, hospitals, and related professionals.

According to its breach FAQ page, MIE's client list includes:

  • Concentra,
  • Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery),
  • Franciscan St. Francis Health Indianapolis,
  • Gynecology Center, Inc. Fort Wayne,
  • Rochester Medical Group,
  • RediMed,and Fort Wayne Radiology Association, LLC (including d/b/a Nuvena Vein Center and Dexa Diagnostics, Open View MRI, LLC, Breast Diagnostic Center, LLC, P.E.T. Imaging Services, LLC, MRI Center — Fort Wayne Radiology, Inc. f/k/a Advanced Imaging Systems, Inc.)

NoMoreClipboard.com's client list includes many clinics, hospitals, physicians, specialists, attorneys, schools, and more (links added):

NoMoreClipboard.com Clients Affected By Data Breach
Advanced Cardiac Care
Advanced Foot Specialists
All About Childrens Pediatric Partners, PC
Allen County Dept of Health
Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center
Altagracia Medical Center
Anderson Family Medicine
Arkansas Otolaryngology, P.A.
Auburn Cardiology Associates
Basedow Family Clinic Inc.
Bastrop Medical Clinic
Batish Family Medicine
Beaver Medical
Boston Podiatry Services PC
Brian Griner M.D.
Brightstarts Pediatrics
Burnsville Medical Center
Capital Rehabilitation
Cardiovascular Consultants of Kansas
Carl Gustafson OD
Carolina Gastroenterology
Carolina Kidney & Hypertension Center
Carolinas Psychiatric Associates
Center for Advanced Spinal Surgery
Chang Neurosurgery & Spine Care
Cheyenne County Hospital
Children's Clinic of Owasso, P.C.
Clara A. Lennox MD
Claude E. Younes M.D., Inc.
CMMC
Coalville Health Center
Cornerstone Medical and Wellness, LLC
Cumberland Heart
David A. Wassil, D.O.
David M Mayer MD
Dr. Alicia Guice
Dr. Anne Hughes
Dr. Buchele
Dr. Clark
Dr. Harvey
Dr. John Labban
Dr. John Suen
Dr. Puleo
Dr. Rajesh Rana
Dr. Rustagi
Dr. Schermerhorn
Dr. Shah
Ear, Nose & Throat Associates, P.C.
East Carolina Medical Associates
Eastern Washington Dermatology Associates
Ellinwood District Hospital
Family Care Chiropractic Center
Family Practice Associates of Macomb
Family Practice of Macomb
Floyd Trillis Jr., M.D.
Fredonia Regional Hospital
Fremont Family Medicine
Generations Primary Care
Grace Community Health Center, Inc.
Grisell Memorial Hospital
Harding Pediatrics LLP
Harlan County Health System
Health Access Program
Heart Institute of Venice
Henderson Minor Outpatient Medicine
Henry County Hospital myhealth portal
Highgate Clinic
Hobart Family Medical Clinic
Howard Stierwalt, M.D.
Howard University Hospital
Hudson Essex Nephrology
Huntington Medical Associates
Huntington Medical Group
Hutchinson Regional Medical Center
Idaho Sports Medicine Institute
In Step Foot & Ankle Specialists
Independence Rehabilitation Inc
Indiana Endocrine Specialists
Indiana Internal Medicine Consultants
Indiana Ohio Heart Indiana Surgical Specialists
Indiana University
Indiana University Health Center
Indianapolis Gastroenterology and Hepatology
Internal Medicine Associates
IU — Northwest
Jackson Neurolosurgery Clinic
James E. Hunt, MD
Jasmine K. Leong MD
Jewell County Hospital
John Hiestand, M.D.
Jonathan F. Diller, M.D.
Jubilee Community Health
Kardous Primary Care
Keith A. Harvey, M.D.
Kenneth Cesa DPM
Kings Clinic and Urgent Care
Kiowa County Memorial Hospital
Kristin Egan MD
Lakeshore Family Practice
Lane County Hospital
Logan County Hospital
Margaret Mary Health
Masonboro Urgent Care
McDonough Medical Group Psychiatry
Medical Care, Inc.
Medical Center of East Houston
Medicine Lodge Memorial Hospital
MedPartners
MHP Cardiology
Michael Mann, MD, PC
Michelle Barnes Marshall, P.C.
Michiana Gastroenterology, Inc.
Minneola District Hospital
Mora Surgical Clinic
Moundridge Mercy Hospital Inc
myhealthnow
Nancy L. Carteron M.D.
Naples Heart Rhythm Specialists
Nate Delisi DO
Neighborhood Health Clinic
Neosho Memorial Regional Medical Center
Neuro Spine Pain Surgery Center
Norman G. McKoy, M.D. & Ass., P.A.
North Corridor Internal Medicine
Nova Pain Management
Novapex Franklin
Oakland Family Practice
Oakland Medical Group
Ohio Physical Medicine & Rehabilitation Inc.
On Track For Life
Ottawa County Health Center
Pareshchandra C. Patel MD
Parkview Health System, Inc. d/b/a Family Practice Associates of Huntington
Parkview Health System, Inc. d/b/a Fort Wayne Cardiology
Parrott Medical Clinic
Partners In Family Care
Personalized Health Care Of Tucson
Phillips County Hospital
Physical Medicine Consultants
Physicians of North Worchester County
Precision Weight Loss Center
Primary & Alternative Medical Center
Prince George's County Health Dept.
Rebecca J. Kurth M.D.
Relief Center Republic County Hospital
Ricardo S. Lemos MD
Richard A. Stone M.D.
Richard Ganz MD
River Primary Care
Rolando P. Oro MD, PA
Ronald Chochinov
Sabetha Community Hospital
Santa Cruz Pulmonary Medical Group
Santone Chiropractic
Sarasota Cardiovascular Group
Sarasota Center for Family Health Wellness
Sarasota Heart Center
Satanta District Hospital
Saul & Cutarelli MD's Inc.
Shaver Medical Clinic, P. A.
Skiatook Osteopathic Clinic Inc.
Sleep Centers of Fort Wayne
Smith County Hospital
Smith Family Chiropractic
Somers Eye Center
South Forsyth Family Medicine & Pediatrics
Southeast Rehabilitation Associates PC
Southgate Radiology
Southwest Internal Medicine & Pain Management
Southwest Orthopaedic Surgery Specialists, PLC
Stafford County Hospital
Stephen Helvie MD
Stephen T. Child MD
Susan A. Kubica MD
Texas Childrens Hospital
The Children's Health Place
The Heart & Vascular Specialists
The Heart and Vascular Center of Sarasota
The Imaging Center
The Johnson Center for Pelvic Health
The Medical Foundation, My Lab Results Portal
Thompson Family Chiropractic
Trego County Hospital
Union Square Dermatology
Volunteers in Medicine
Wells Chiropractic Clinic
Wichita County Health Center
William Klope MD
Wyoming Total Health Record Patient Portal
Yovanni Tineo M.D.
Zack Hall M.D.

The MIE press release included few details about exactly how hackers accessed its systems:

"On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data."

The breach highlights the need for greater transparency by both health care providers and the outsourcing vendors they hire. The breach also highlights the fact that medical records are stored and accessible via cloud-based services. Did you know that? I didn't before. And, this raises the question: is storage of PHI in the cloud the best and safest way?

The breach notices from MIE to consumers may create confusion, since patients don't do business directly with MIE and probably won't recognize its name. My wife received a breach notice on Friday and did not recognize MIE by name. I hadn't heard of MIE, either, so I did some online research. During June, MIE notified both the California Attorney General's office (Aobe PDF) and the New Hampshire Attorney General's office (Adobe PDF) of residents in each state affected by the data breach. MIE is represented by the law firm of Lewis, Brisbois, Bisgaard and Smith LLP (LBBS). LBBS has offices in 35 states and the District of Columbia.

MIE probably notified several other states, but many states, including the Massachusetts Attorney General's office, do not post online breach notices they receive. (They should, since it helps consumers verify breach notices.) HIPAA federal law requires certain entities to send breach notices to affected patients for breaches of unprotected data affecting more than 500 patients. At press time, a check of the Health & Human Services site did not find an MIE breach listing. When posted, it should reveal the total number of patients affected by the breach.

The breach notice my wife received was dated July 17, 2015. It repeated information already available online and offered few, new details. It began:

"My name is Eric Jones and I am co-founder and COO of Medical Informatics Engineering, a company that provides electronic medical record services to certain health care provider clients, including Concentra. On behalf of Medical Informatics Engineering, I am writing to notify you that a data security compromise occurred at medical Informatics Engineering that has affected the security of some of your personal  and protected health information. This letter contains details about the incident and our response..."

My wife didn't recognize either Concentra nor No More Clipboard by name. The notice she received listed the following patients' information as exposed or stolen:

"While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected. The affected information: SSN, Address, Phone, Birth Date"

This seemed vague. Which address: e-mail or residential street address? Which phone: mobile, land-line, or both? Were Social Security Numbers stored in open or encrypted format? And, if not encrypted, why not? The breach notice didn't say much.

Then, there is this: the breach letter my wife received included far fewer information elements than the July 24, 2015 press release:

"The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information."

This raised the question: which MIE document is correct? The breach notice, the press release, or neither? The notice seemed to raise more questions than it answered, so Monday morning we called the MIE hotline listed in its breach notice. After waiting 50 minutes on hold, a representative finally answered. The phone representative identified herself and her employer, Epic Systems based in Oregon. So, MIE outsourced the hotline support portion of its post-breach response.

I asked the representative to explain exactly how MIE acquired my wife's medical records. She looked up my wife's record in their system and replied that MIE had acquired it through business with Concentra. This was puzzling since neither my wife nor I have done business with Concentra. So, I was on the phone with one subcontractor who was pointing the finger at another subcontractor. Lovely. And, nobody on the phone actually from MIE. Disappointing.

Next, I called the nearest Concentra office, which is 17 miles away in Wilmington, Massachusetts. (We live in Boston.) The person in the billing department was helpful. (She admitted that she, too, had received a breach notice from MIE.) The representative attempted to find my wife's information in Concentra's systems. As my wife and I thought: no record. We have not done any business with Concentra. Confirmed.

The Wilmington-office representative's first answer was to give me the MIE breach hotline number. I explained that I had already called the MIE hotline. Then, the representative provided a regional contact in Concentra's human resources department. I have called Tyree Wallace twice, but so far no response. Not good.

What to make of this situation? One vendor's system has errors, but I can't yet tell which: MIE or Concentra. Maybe that's a result of the hack. May be not. The whole situation reminds me of the robo-signing and residential mortgage-back securities scandals by banks, where shortcuts were taken without proper documentation and items repackaged, sold, and resold without disclosures -- nobody knew exactly what was what. An epic mess. Could a similar epic mess happened with electronic medical records? I hope not.

I reviewed the breach notice again, bu this time focused upon MIE's offer of two years of free credit monitoring services with the Experian ProtectMyID Elite service. The ProtectMyID website lists the following features:

"Credit Monitoring: You may review your credit card statements every month for purchases you didn't make. But, every day, we check your credit report for other types of fraud that are much more dangerous. We watch for 50 leading indicators of identity theft. Each one, from a new loan to medical collections, poses a unique threat to your identity that we'll help you address."

"Internet Scan: ProtectMyID continually monitors a vast number of online sources where compromised credit and debit card numbers, Social Security numbers and other personal data is found, traded or sold, helping reduce your potential exposure to identity theft."

"National Change of Address Monitoring: Your bills and monthly statements can feed criminals important account and personal information. An identity thief may steal a single piece of your mail or all of it with a fraudulent change of address request at the post office. Every day, we look for the red flags. We monitor address changes at the national and credit report levels and help you resolve any issues."

Is this a good deal? Each affected patient can decide for their self, since you know your needs best. Plus, patients' needs vary. The Internet scan and address monitoring features sound nice, but only you can determine if you need those protections. While two years of free credit monitoring is better than one year, I couldn't find an explicit statement in the site where ProtectMyID monitors credit reports at all three credit reporting agencies (e.g., Experian, Equifax, TransUnion), or only one. Monitoring only one doesn't seem like effective coverage. In 8+ years of blogging, I've learned that criminals are smart and persistent. Monitor only one branded credit report (e.g., Experians), and criminals will approach lenders who use other branded credit reports, in order to take out fraudulent loans.

So, what to make of this breach? I see several issues:

  1. Transparency matters: the MIE breach and its post-breach response highlight the importance of transparency. Health care providers and outsourced vendors should make it easy for patients to determine who has their electronic health records and why. Breach notices should clearly state both the EHR vendor's name and the health care provider each patient specifically used. Don't use vague, confusing language MIE used. (See above.) Be specific and clear in breach notices. Something like this would be better: "We acquired your electronic health records during [year] from Concentra. It was acquired for [insert reasons]."
  2. Update online policies: health care provider's websites should identify the EHR vendors by name in their policies (e.g., terms of use, privacy). EHR vendor sites should identify their clients. Why? When breaches happen, patients need to quickly and easily verify the vendor's breach notice received. When policies don't mention vendors by name, verification is harder.
  3. Effective credit monitoring: ideally, provide a free service that monitors credit reports at all three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion), not one.
  4. Cloud-based EHR services: is this the best, safest way to store PHI? Cloud storage offers speed, flexibility, and storage benefits. But what about security? Can PHI be effectively secured and protected in the cloud? If you want to learn more, read this 2013 report by the Center for Democracy & technology about HIPAA compliance and cloud storage (Adobe PDF). The MIE breach highlights the risk. Time will tell if experts were correct. Time will tell if cloud-storage vendors can adequately protect electronic health records (EHR).

In my opinion: an epic fail is brewing. It seems that MIE has done, so far, the minimum with its post breach response. The efforts seem focused upon avoiding liability instead of helping affected patients. So far, MIE has failed to provide a satisfactory answer about when, how, and why it acquired my wife's electronic medical records. I look forward to more disclosures by MIE about exactly how hackers breached its system, and what it will do so this doesn't happen again.

During the next day or so, my wife and I will file a HIPAA complaint. I encourage other patients in similar situations to file complaints, too.

Did you receive a breach notice from MIE? What are your opinions of the MIE data breach and the company's response? Of the free ProtectMyID credit monitoring arranged by MIE? If you have used Concentra, what are your opinions of it?


Costco, CVS, And Wal-Mart Canada Investigate Possible Data Breaches

Walmart logo On Friday, CVS and Wal-mart Canada announced investigations into possible data breaches at their photo centers. On Monday, Costco announced a similar investigation about a possible data breach. Costco has also suspended operations of its photo centers. The number of credit card customers affected is unknown at all three retailers.

The outsourcing vendor involved is PNI Digital Media, with offices in Vancouver, British Columbia (Canada) and England. According to its website, PNI Digital Media operates 19,000 retail locations and 8,000 in-store kiosks. The New York Times reported:

CVS logo

"... the breaches highlighted the importance of more rigorously vetting I.T. vendors at a time when companies outsource more and more of their technology operations. Vendors have often proved to be the weakest link..."

Staples acquired PNI Digital Media in July, 2014. At press time, the vendor's latest tweet was May 20, two months ago. That tweet announced that hiring was underway for several positions, including front and back-end developers.

Until the retailers announce more about their breaches, experts advise customers of the above retail stores to closely monitor their bank and card statements for fraudulent charges.


China's New National Security Law Raises Intellectual Property, Privacy, And Supply Chain Concerns

The New York Times reported about China's new national security law and how it will affect U.S.-based corporations doing business there. The new law also raises intellectual property, privacy, and supply-chain concerns. What is different about the new law:

"New language in the rules calls for a “national security review” of the technology industry — including networking and other products and services — and foreign investment. The law also calls for technology that supports crucial sectors to be “secure and controllable,” a catchphrase that multinationals and industry groups say could be used to force companies to build so-called back doors — which allow third-party access to systems — provide encryption keys or even hand over source code."

MSS Indisde The term "controllable" seems to imply a lot more than access via back doors to software and computing systems. Closely related to this new law are disagreements between the United States and China:

"The United States has accused China of state-sponsored hacking attacks against American companies to gain a commercial advantage... In turn, China maintains that the disclosures by Edward J. Snowden, the former United States National Security Agency contractor, about American online espionage give it plenty of reason to wean itself from foreign technology that may have been tampered with by United States intelligence agencies."

The Ministry of State Security is China's intelligence agency. In April, China withdrew a law that:

"... restricted which technology products could be sold by foreign companies to Chinese banks. Groups that represent companies like Apple, Google and Microsoft had pushed against that law."

Australia's Sydney Morning Herald reported:

"... the Chinese government has enacted a new national security law that amounts to a sweeping command from President Xi Jinping to maintain the primacy of Communist Party rule across all aspects of society. The law is expected to bolster the power of China's domestic security apparatus and military. The law says "security" must be maintained in all fields, from culture to education to cyberspace... security must be defended on international seabeds, in the polar regions and even in outer space."

The Herald added:

"The law is one of three being scrutinised by foreign leaders and corporate executives... The other two laws are expected to be passed soon; one would regulate foreign non-governmental organisations and place them under the oversight of the Ministry of Public Security, and the other is a counterterrorism law... Legal scholars and analysts in China say it will probably lead to the security apparatus amassing more power..."

The U.S. Chamber of Commerce and several companies sent a letter in January 2015 to China calling for more discussions about the new law. The new laws seem to be clear rejection of that request.

NSA Android logo So, there are more security laws to come from China. China's new law raises several questions:

  1. How will high-tech companies respond? Will they comply, fight the new laws, or relocate their businesses to more hospitable countries?
  2. Will Apple permit the Chinese to have back doors or keys to its products after denying that to the U.S. intelligence community?
  3. reportedly, Google has included NSA code in its software. Will it also allow the MSS to include code?
  4. How will IBM, Cisco, Microsoft, and other high-tech companies respond?
  5. Is it possible to technically alter software products and Internet service for only the Chinese market, which aren't sold in other countries?
  6. If #5 is possible, would other countries' governments accept differentiated products, or demand the same backdoor access as China?
  7. How will the new law affect the Internet of Things (ioT); especially including Internet-capable appliances made in China?

NSA Inside logo What are your opinions of China's new security law? Are there any more issues or questions than the seven listed above? How do you think U.S.-based corporations should respond to China's new law?


Guestworker Programs, Reshoring, And Skilled Workers. The Impacts Upon American Workers

In March 2015, Ron Hira, a Research Associate and Associate Professor of Public Policy at Howard University, testified before the U.S. Senate Judiciary Committee hearing about immigration reforms needed to protect skilled American workers. That classification includes workers in various high-tech jobs. Mr. Hira testified:

"Congress and multiple Administrations have inadvertently created a highly lucrative business model of bringing in cheaper H-1B workers to substitute for Americans. There are mainframe-sized loopholes built into the H-1B program’s design... Some of these loopholes are intentional, some are not, but they all add up to a system that encourages employers to exploit the H-1B program for cheap labor. Given the extraordinarily high profits involved in using guestworkers instead of Americans, it should surprise no one that many employers are taking advantage of this business model and lobbying to expand it... Myth: Employers must prove there are no qualified American workers before hiring an H-1B... Myth: H-1B workers cannot be cheaper than Americans because employers must pay the “prevailing wage”... Myth: Compliance with the program’s rules that protect American workers is robust..."

You may have believed those myths. Now you know otherwise. That abuse of the H-1B visa program may affect you, an employed family member, or somebody you know. How? Mr. Hira explained:

"... This is not just adversely affecting a few workers. The H-1B program is very large with approximately 120,000 new workers admitted annually. Once admitted those workers can remain in the U.S. up to six years. While no one knows exactly how many H-1Bs are currently in the country, analysts estimate the stock of H-1B workers at 600,000..."

Of course, the corporations claim that they can't find skilled American workers. Mr. Hira explained what's really happening and how it extends beyond H-1B visa recipients:

"Most of the H-1B program is now being used to import cheaper foreign guestworkers, replacing American workers, and undercutting their wages... There are hundreds of thousands of additional guestworkers admitted on L-1 and OPT visas, and they too are harming the job prospects of American workers. Because Congress never expected L-1 and OPT workers to be potential competition to American workers those programs have virtually no rules to protect American workers. That expectation was incorrect. As with the H-1B program, these guestworker visa programs are now being used too to replace and undercut American workers."

Sadly, government agencies also perpetuate the problem:

"The recent case of Southern California Edison (SCE) illustrates the most flagrant abuses of the H-1B program and exposes the flaws in the protections for American workers. As reported by ComputerWorld and the Los Angeles Times, SCE is replacing its American workers with H-1B workers hired by outsourcers Tata and Infosys. To add insult to injury, SCE forced its American workers to train their H-1B replacements as a condition of receiving their severance packages. There could not be a clearer case of the H-1B program being used to harm American workers’ wages and working conditions."

You may remember a similar incident at Disney where fired American workers were forced to train their foreign replacements before leaving. Pew Charitable Trusts reported about other alleged abuses:

"A computer programmer from India was promised a $46,500 salary in New York, plus tuition to study for a master’s degree. Instead, his annual pay averaged less than $13,000 and his degree was withheld when his employer failed to make the promised tuition payments. In California, veteran computer workers at a health care company say they were forced to train cheaper foreign replacements before being laid off, even though the replacements were hired under a program meant to fill critical jobs when employers can’t find qualified U.S. citizens or permanent residents who hold green cards to fill them."

I encourage you to visit the Pew Charitable trusts article, because it features an interactive map where you can discover the number H-1B workers in your state.

Some readers in denial may be thinking: I have a college degree, or I work in a high-tech job such as writing code for websites and mobile apps. It won't affect me. I'm immune.

Don't fool yourself. It will affect you. It probably already has. Former U.S. Labor Secretary and professor Robert Reich summarized the problem in a June 16 Facebook post (links added):

"... the [U.S.] Senate is considering a bill to raise the number of skilled foreign workers that can come to the U.S. on H-1B visas... It’s a bad idea. When Secretary of Labor, I was responsible for implementing the H-1B visa program – and again and again found high-tech companies claiming they needed skilled workers from abroad because they couldn’t find ...such workers in the U.S. -- when in reality they just didn’t want to pay higher wages to Americans with those same skills... A study released in April by the National Bureau of Economic Research found that H-1B visa recipients crowd out American workers, lowering wages and raising profits without increasing productivity. A 2013 analysis by the Economic Policy Institute found there are more than enough U.S.-born high-tech workers to fill jobs here, and that companies have been using foreign workers to cut costs, knowing they’re easy to intimidate because if they lose their jobs they have to leave the U.S."

You can read this study by researchers at the University of Notre Dame and University of California at Berkeley (Adobe PDF). They concluded:

"We find some evidence that additional H-1Bs lead to lower average employee wages while raising firm profits... we robustly find that new H-1Bs cause no significant increase in firm employment..."

Think about that. Firms pay less to other employees. So, even if you aren't replaced, you may be paid less or your annual wage increases are smaller. The savings went to the company's profits, and to senior executives rewarded for those savings via bonuses.

I have experienced the high-tech guest-worker situation. As a freelancer with a master's degree and plenty of experience, I work with a variety of digital agencies to produce websites for corporate clients. Several years ago, I subcontracted with an agency to work on a website redesign project. That project included a client company's internal website (called an "Intranet") to automate and streamline its human resources processes, forms, and performance reviews for both managers and employees. I was hired to perform the usability work and lead several focus-group sessions with the client company's employees and managers.

After meeting my project team members, I saw immediately the situation. Another person and I were the only two American workers on this project team. The rest of the team included workers from India to perform the project management, documentation, website development, quality assurance, and coding work. Plenty of my peers at other digital agencies, and some as freelancers, regularly perform all of these tasks. So, there's no shortage of qualified, experienced American workers.

During this three-month project, the foreign guest workers flew in from Mumbai as needed for their roles, and shared rooms in a rented home (cheaper than a hotel). When their role on the project was finished, they either returned to Mumbai or traveled to another U.S. location for their next project. The math probably went like this: the digital agency probably charged it's corporate client an average of about $120 per hour across all project team members. The digital agency paid me $90.00 per hour, paid the foreign workers maybe $40.00 per hour, and pocketed the difference. So, the agency's profits were $30.00 per hour for American workers like me, but a far higher $80.00 per hour with foreign workers.

This looked to me like a clear corporate choice aided by a willing digital agency. You'd never know it happened unless you worked directly on the project.

Multiply my experience by thousands of others and you get an idea of how vast the problem is. Corporations, politicians, and news media that defend this employment abuse may announce that thousands of jobs are returning to the USA (often called "reshoring"), but you now know what's really happening. Informed voters question announcements and demand to know if the returning jobs are pre-filled with foreign guest-workers while the employers don't bother looking to hire American workers. You now know more to contact your elected officials and demand that they explain what they are doing to protect American workers.

When returning jobs are pre-filled with guest workers, then there's really no benefit to USA citizens and plenty of downside: unemployment levels remain high, it is harder to find full-time work, and for workers over 55 years of age it can be impossible to find full-time work. You now know it's a pro-business free-for-all at the expense of middle-class and skilled workers.

What are your opinions of skilled guest workers? Of the H-1B visa program? Have you had to train foreign guest workers?


AT&T To Pay $25 Million Penalty For Data Breaches At Offshore Call Centers

AT&T logo In April, the U.S. Federal Communications Commission (FCC) announced that AT&T Services, the telephone giant, will pay $25 million to settle consumer privacy violations at the company's call centers in Mexico, Colombia, and the Philippines. The FCC announcement described how the insider breach happened:

"The data breaches involved the unauthorized disclosure of almost 280,000 U.S. customers’ names, full or partial Social Security numbers, and unauthorized access to protected account-related data, known as customer proprietary network information (CPNI)... According to an investigation by the FCC’s Enforcement Bureau, these data breaches occurred when employees at call centers used by AT&T in Mexico, Colombia, and the Philippines accessed customer records without authorization. These employees accessed CPNI while obtaining other personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided that information to unauthorized third parties who appear to have been trafficking in stolen cell phones..."

The data breach in the Mexico call center lasted 168 days and began between November 2013 and April 2014. The FCC Enforcement Bureau began its investigation in May 2014:

"... three call center employees were paid by third parties to obtain customer information — specifically, names and at least the last four digits of customers’ Social Security numbers — that could then be used to submit online requests for cellular handset unlock codes. The three call center employees accessed more than 68,000 accounts without customer authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T’s online customer unlock request portal."

Federal communications Commission logo Also:

"... approximately 40 employees at the Colombian and Philippine facilities had also accessed customer names, telephone numbers, and at least the last four digits of customer Social Security numbers to obtain unlock codes for AT&T mobile phones. Approximately 211,000 customer accounts were accessed..."

The FCC announcement stated that AT&T's failure to reasonably secure customers’ personal information violated a carrier’s duty under Section 222 of the Communications Act. The breach also constituted an unjust and unreasonable practice in violation of Section 201 of the Act. Terms of the settlement agreement require AT&T to:

  1. Pay a $25 million civil penalty,
  2. Notify all customers whose accounts were accessed,
  3. Provide credit monitoring services to all consumers affected,
  4. Improve its privacy and data security practices: appoint a senior compliance manager, implement an information security program
  5. Conduct a privacy risk assessment,
  6. Prepare an appropriate compliance manual, and
  7. Regularly train employees on the company’s privacy policies and the applicable privacy legal

AT&T is also required to provide regular compliance reports to the FCC. FCC Chairman Tom Wheeler said about the breach:

“As the nation's expert agency on communications networks, the Commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud... the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”

According to its website, AT&T has more than 120 million wireless customers, 12.2 million U-verse high-speed Internet customers, and 3.5 million business customers. Total company revenues were $128.8 billion in 2013. Total workforces in 2014 was 243,620 employees. Download the AT&T Consent Decree with the FCC (Adobe PDF).

The breach announcement and settlement highlight the extent to which consumers' sensitive personal information is transmitted around the world, and the vulnerability of that information at offshore facilities. When companies move jobs to other countries, that often requires the transmission of consumer information to facilities in those countries.

Also, the breach emphasizes the fact that criminals have done their homework. They have identified both the corporations that are high-value targets with large amounts of consumer information, and the offshore locations. I applaud the FCC's actions and expect to hear more.

[Editor's note: in the interest of full disclosure, I am an AT&T mobile customer. I also received a breach notice from the company. I will share more about that in an upcoming blog post.]


Samsung Updates Its Smart TV Privacy Policy. What Consumers Need To Know

If you haven't noticed the technology trend, many smart televisions include voice recognition features. So, similar to smart phones the smart televisions include embedded microphones. This week, television maker Samsung updated the privacy policy for its smart televisions. Previously, the policy did not name the third-party company providing the voice recognition features.

Many consumers are concerned about their privacy. Consumer Reports explained the privacy concerns:

"Manufacturers have been producing smart TVs with voice recognition since 2012... many televisions have come to market that even monitor the viewing habits of their owners. Are these TVs capturing and transmitting highly personal conversations from inside consumer's homes and and logging their channel-surfing behavior? Plenty of people have registered exactly this concern, including this British blogger back in 2013, as well as Michael Price, of NYU's Brennan Center for Justice... an article last week in The Daily Beast has caused a new uproar..."

So, Samsung attempted to addressed these concerns in its blog with a change to its privacy policy. Yesterday, Samsung stated in its blog:

"Some Samsung Smart TVs offer voice recognitions functions. These functions are enabled only when users agree to the separate Samsung Privacy Policy and Terms of Use regarding this function when initially setting up the TV. Apart from initial setup, users are given the choice to activate or deactivate the voice recognition feature at any time."

Consumers enable or disable the voice recognition features through the Settings menus on their television. Samsung admitted that the text of its privacy policy caused some confusion. The old privacy policy text:

"Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."

That sounds confusing and intrusive to me. The revised privacy policy text:

"If you enable Voice Recognition, you can interact with your Smart TV using your voice. To provide you the Voice Recognition feature, some interactive voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service provider (currently, Nuance Communications, Inc.) that converts your interactive voice commands to text and to the extent necessary to provide the Voice Recognition features to you. In addition, Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features. Samsung will collect your interactive voice commands only when you make a specific search request to the Smart TV by clicking the activation button either on the remote control or on your screen and speaking into the microphone on the remote control."

"If you do not enable Voice Recognition, you will not be able to use interactive voice recognition features, although you may be able to control your TV using certain predefined voice commands."

That's an improvement. It's good that Samsung explicitly named the feature provider, since many manufacturers don't. Interested consumers might go the next step and visit the Nuance Communication site to see who they share data with.

Samsung's new privacy text is an improvement, but it is not 100 percent clear. Either the voice recognition feature is on or off; enabled or it isn't. There shouldn't be a halfway state, where the consumer turns the feature off but the television still accepts some predefined verbal commands. That is dumb and dishonest.

According to Consumers Reports, Nuance Communications works with:

"... Samsung developers to bring voice control applications to wearable devices such as Samsung’s Gear series of smart watches. Nuance is also behind Apple’s Siri personal assistant—or, at least Nuance CEO Paul Ricci said it was back in 2011. Through its Dragon Drive platform, Nuance brings voice control and smart phone integration to the telematics systems of Audi, Lexus, BMW, and Mercedes-Benz vehicles. And Nuance also has products that allow doctors to dictate and manage patient medical records..."

Data collection (or surveillance) by smart televisions is a disturbing trend. Consumers have paid good money for smart televisions. Manufacturers should be able to make sufficient profits from sales without having to resort to data collection. If the smart TVs were free, then I would expect data collection. But consumers pay good money for smart TVs. The data collection shouldn't be needed. Why the data collection Samsung?

This presents some challenges for consumers. As i see it, smart, informed consumers should be aware of several issues and exercise the following choices:

  1. View smart televisions with voice recognition features just as you would voice-activated smart phones, video games, and automobiles. Make smart, informed purchases. Don't buy any products that lack privacy policies, which has been the case with too many mobile apps.
  2. View smart televisions like social networking sites. Just like many social sites collect and save both your published and unpublished posts including edits, smart televisions are headed in the same direction. Why? First, companies want to collect as much data as they can about you, your preferences, and attitudes. Second, developers believe that consumers talking to devices builds relationships with those devices.
  3. Before purchase, read both the privacy and terms of use policies. If you don't like them, don't buy the product.
  4. After purchase, know how to turn voice recognition features on and off. You may turn it on at certain times and then leave it off at all other times. Read any and all privacy policy updates the manufacturer sends so you know what data is collected and shared.
  5. Know that any feature the "good guys" develop can be hacked by "bad guys.
  6. Your home should be a safe place where consumers can have truly private conversations. Several technologies threaten that. You may have to go to another room (or unplug and disconnect the Internet-connected device) to have a truly private conversation.
  7. If you are a parent, you know best when to explain privacy to your children (or grandchildren) based upon their ages and capabilities. Doing nothing does not seem to be a wise option.
  8. If you have questions, visit both the manufacturer's web site and trustworthy sites. (Hopefully, this blog is one.) The Resources page in this blog contains links to many trustworthy sites.
  9. Contact your elected officials and tell them about your concerns.

What are your opinions about smart televisions? Samsung's new privacy policy? What do you do to ensure private conversations in a room with a smart television?