Former Employee At Web Hosting Service Arrested And Charged With Felony Computer Breaches

Ars Technica reported that Eric Gunnar Gisse, a former Hostgator employee, has been arrested and charged with felony computer breaches. Gisse allegedly used his position to install secret code that allowed him unauthorized, "back door" access to more than 2,700 Internet-connected computer servers. Gisse, of San Antonio, Texas is being held on $20,000 bail in the Harris County jail.

This highlights one risk with cloud computing services. Many companies outsource the operation of their website to third-party vendors, such as Houston-based Hostgator, that offer what the industry calls "web hosting services." This is not new.

As a usability professional who has worked with several digital agencies, I have seen this outsourcing repeatedly work well and data maintain security. The issue is when employees abuse their positions and either steal or expose the sensitive information of people who use the compromised web servers.

The C/Net website lists companies that provide web hosting services.

60 Minutes: Dispute Processes At Credit Reporting Agencies Fail To Fix Errors in Consumers' Credit Reports

Recently, the 60 Minutes television news magazine reported about the credit reporting industry. The report focused on problems with the dispute process: failures by the largest three credit reporting agencies to correct errors reported by consumers on their credit reports.

Basically, one out of every five Americans has an error on their credit report. That is a massive amount of credit reports with errors, since the companies archive credit reports for about 200 million Americans and since each person has at least three credit reports (e.g., one report each at Equifax, Experian, and TransUnion, plus regional credit reporting agencies). That is an unacceptably high error rate.

Few other businesses would remain operating with such a high error rate. Think of it this way: if one out of every five airplane passenger was killed or injured during a crash, then that airline would be out of business. At a minimum, the public wold demand changes and accountability. If one out of every five credit card purchases were incorrect or lost, that bank would be out of business. And, consumers would demand changes and accountability. But somehow, credit reporting agencies remain in business despite high error rates. If you made an error in one out of five projects at your job, your employer would likely suspend or fire you.

If you are unfamiliar with what credit reporting agencies do, here's what you need to know. The banks and lenders you already have loans or credit accounts with, provide your history to the credit reporting agencies about your loans, payments you've made (or failed to make), outstanding loan balances, and the associated dates. When a loan is paid off, your credit report should indicate that. Like social networking websites, you are the product since credit reporting agencies make money by selling your credit reports to potential lenders (e.g., banks, retail stores, phone companies, educational loan companies), both when you apply for credit and when potential lenders request credit reports in order to send out offers via e-mail or snail mail.

Credit reporting agencies also make money by selling to consumers both credit scores and credit monitoring services, whose monthly fees can be as high as $18. 60 Minutes reported that these credit monitoring services don't provide consumers with the exact same credit reports that the credit reporting agencies sell to potential lenders. I'd like to hear more about that.

Your credit report is the basis of future lending decisions made by potential lenders. A bad or inaccurate report will affect and lower your credit score, the overall number used to indicate your credit worthiness. A low credit score can cost you money: denied credit applications, or approved loans but with a far higher interest rate. Bad reports can include valid late or non-payments on your loans. The errors in credit reports can include another person's data co-mingled with yours (obviously, that should never happen), a dead person's data co-mingled with yours, or a credit report that doesn't accurately reflect a loan you truly paid off on time and/or in full.

The $4 billion credit reporting industry is dominated by three huge companies: Equifax, Experian, and TransUnion. What 60 Minutes didn't mention is that credit reporting agencies regularly do business with data brokers, such as Acxiom, to buy and sell your personal information. Credit reporting agencies experience data breaches, just like other companies.

The reality is that information in your credit report is transmitted around the globe, since much of the credit report maintenance and customer service operations are outsourced to firms in other countries (e.g., Argentina, Brazil, Canada, Chili, Costa Rica, El Salvadore, Honduras, India, Ireland, Jamaica, Peru, Portugal, Spain, United Kingdom, Uruguay). The work is often performed by low-wage workers. Readers of this blog are already know this, since this blog reported a 4-part series in 2008 about offshore outsourcing within the industry. The 60 Minutes reporter interviewed several former credit reporting agency workers in Chile, who admitted that they really didn't have any way to investigate errors, and were directed to simply assign number codes to error disputes submitted by consumers, and then rubber-stamp inputs from lenders; regardless of whether that input was correct or incorrect.

If this makes you mad, it should. The 60 Minutes report included concerns by the Attorney General for the state of Ohio, Mike DeWine. He is concerned that the credit reporting agencies don't fix mistakes in consumers' credit report, that the high error rates are the industry's fault (and not the banks'), and that the industry violates the Fair Credit Reporting Act (FCRA). While the industry claims that it adequately protects the credit reports of children, DeWine's office has taken action to check the accuracy of the credit reports of youth in the state's foster care system.

60 Minutes reported that some consumers have sued credit reporting agencies to get a resolution and errors fixed. Consumers shouldn't have to go to that extreme to resolve errors in their credit reports. Perhaps, some enterprising class-action attorney will take up the challenge.

You can watch the report below. After watching it, report any credit problems you have had to the CFPB. You should also contact your elected officials and demand action:

Want to learn more? Read:

• Equifax And Its Customers To Pay $1.6 Million In FTC Settlement About Alleged Improper List Sales
• FTC Survey: The Good And Bad Experiences Of Identity-Theft Victims With Consumer Reporting Agencies
• Data Breach At Experian Credit Reporting Service
• Ohio Attorney General helps foster youth with credit report errors
• How to dispute errors in your credit reports (video)
• The website with truly free credit reports for consumers

Move Your Money To... Walmart? A Good Deal?

This blog has covered extensively the ways banks have "mugged" consumers via higher fees, higher interest rates, traps, and tricks. I was surprised to read in the Tuesday the New York Times a report about some consumers moving their money to Walmart Money Centers, instead of to banks or credit unions. Move your money to Walmart? Really?

After reading the newspaper article, I visited the Walmart Money Centers website to learn more:

By offering several a la carte banking services (e.g., debit card, money transfers, bill pay, money orders, credit cards, check cashing, and checks), Walmart has wormed its way into banking. If it walks like a duck, sounds like a duck, and smells like a duck -- then it must be a duck. How was this allowed to happen?

Apparently, many consumers who don't have a checking account (e.g., referred to as the "unbanked") are using Walmart Money Centers to cash they paychecks, since the fees are lower than at many banks. I have mixed feelings about this. Here's why:

Advantages:

• It benefits consumers to have a competitive choice since Walmart Money Centers offer lower check-cashing fees than banks and payday lenders. That could create a downward pressure on banks to lower their fees to remain competitive
• I see the benefit to Walmart of paying its associates via Walmart debit cards. This removes or lowers the middle-man processor costs

Now, the disadvantages.

First, "banking" with Walmart is still very expensive for consumers. A $3.00 fee to cash a $800.00 weekly paycheck is really an effective annual interest rate of 19.5% ($3/$800 x 52 pay periods per year). That same $3.00 fee on a $400 weekly paycheck equals a 39% effective annual interest rate.

The Walmart MoneyCard (e.g., debit card) is expensive, too. The $3.00 fee to load money onto a card, plus the $3.00 monthly maintenance fee is really an effective annual interest rate of 18% (assuming a $300 paycheck and 26 pay periods per year). So, a consumer is paying 18% to access their own money. What? That 18% is a rate similar to many credit cards, where a consumer can avoid the interest charges by paying their balance in full at the end of the month.

While Walmart Money Centers may seem like an attractive option, it's really expensive "banking." Better to find a credit union with free checking and save both the $78 in annual check-cashing fees and $108 in annual debit card fees.

Second, I can understand the benefits for Walmart of paying its associates via Walmart debit cards. The benefits for Walmart Associates are questionable at best, given the above debit-card fees. The lack of banking choice is troublesome:

"Walmart associates may receive their pay either by direct deposit or through the First Data Money Network program and may access their wages through the Money Network MasterCard Paycard(R) or Money Network(TM) Checks."

This reminds me of the old "company store" practice from the 1800's where companies forced their employees to shop only at the company store, and kept them in debt bondage -- only it's worse today. How? Keep reading.

Third, the lack of disclosure and transparency is extremely troubling. If a consumer left Bank of America for a Walmart Money Center, then you are still banking with some of the same companies that perform outsourced, back-office financial transactions. According to a 2009 Reuters press release:

"Walmart, MasterCard Worldwide and First Data today announced a new, more sustainable payroll program designed to reduce the number of paper paychecks and pay stubs distributed each year to Walmart and Sam's Club associates... "

Alert readers will remember that First Data is a joint venture partner with Banc of America Merchant Services to process BofA debit card transactions. When I asked Bank of America to explain this joint venture, they declined to comment. And, there's more.

Wal-mart operates its Money Centers by outsourcing functions to Moneygram. According to Hoovers, Moneygram:

"... sells MoneyGram-branded cash transfers and money orders at some 227,000 locations around the globe. It is the leading provider of money orders in the US, issuing some 175 million annually. Wal-Mart is MoneyGram's largest money-transfer and money order agent, accounting for more than a quarter of the company's revenues. MoneyGram also offers in-person and electronic bill payment services, letting users pay everything from mortgages to utilities, and processes official checks for financial institutions."

In September, Fitch Ratings announced in a press release:

"MoneyGram has been informed that it is being investigated by a federal grand jury in connection with its consumer anti-fraud and anti-money laundering program matters for the period 2004 to early 2009. A prior similar investigation led to MoneyGram paying an $18 million fine..."

Thomas H. Lee Partners and Goldman Sachs own about 85% of MoneyGram.

Fourth, I thought that Walmart was prohibited from banking. The New York Times reported:

"Four years ago, Wal-Mart abandoned its plans to obtain a long-sought federal bank charter amid opposition from the banking industry and lawmakers, who feared the huge retailer would drive small bankers out of business and potentially conflate its banking and retail operations. Ever since, Wal-Mart has been quietly building up à la carte financial services, becoming a force among the unbanked and “unhappily banked,” as one Wal-Mart executive put it."

Fifth, the fine print about the Walmart MoneyCard states the following about its debit card:

"The Card is issued by GE Money Bank, member FDIC, pursuant to a license from Visa, U.S.A. Additional services provided by Green Dot Corporation. Not available in all states. Issuance fee, monthly fee, and other fees apply..."

This means that Walmart outsources its debit card operations to GE Money Bank, where cardholders' money and accounts are insured by the Federal Deposit Insurance Corporation (FDIC) which insures banks. So, the FDIC is effectively insuring Walmart! I'll bet you didn't know that. Neither did I until I read the fine print. How did this happen?

I hope the New York Times reports more about all of this.

My main point: if consumers choose to "bank" at Walmart Money Centers, you should know who you really are doing business with. The Walmart brand name appears the retail stores, but several outsourced companies actually process its financial transactions -- just like the big banks.

Me? Walmart Money Centers do not appeal to me for both the reasons above, and plus several Walmart business practices. Hence, I have boycotted Walmart since 2000.

What do you think? Are Walmart Money Centers a good option? If you have moved your money to Walmart, share your experiences.

Data Breach Via Insider Identity Theft at North Carolina Hospital

The Data breach cause that scares me most is insider identity theft because it involves employees that should be trustworthy, and aren't. It also emphasizes that the company, hospital, or government agency have an aggressive "red flags" program in place to monitor who accesses sensitive consumer information (e.g., customers, patients, clients, employees, contractors), and compliance with data security policies.

Yesterday, the News-Record reported a data breach involving protected patient information at High Point Regional Health System. An employee took home 47 patients' files, and later returned them. Officials believe the data breach occurred between September 14 and October 6. Hospital representatives learned of the breach last month by an employee at Premier Imaging LLC, a hospital subsidiary. The employee has since been fired.

The breached records included patients' names, residential addresses, dates of birth, Social Security numbers, driver's license numbers and insurance information -- all of the critical data elements for thieves to assume another person's identity and do significant damage with health or financial accounts. An investigation by the health system could not determine whether the former employee has any patient information in her possession or has used it in any way.The hospital has notified affected patients, and arranged an identity protection service for the affected consumers.

Specific data security rules exist for hospitals and health care organizations. According to the Health & Human Services website, the information that must be protected includes:

"Information your doctors, nurses, and other health care providers put in your medical record; conversations your doctor has about your care or treatment with nurses and others; Information about you in your health insurer’s computer system; billing information about you at your clinic; and most other health information about you held by those who must follow these laws."

The companies that must follow this law are called "covered entities," and include doctors, pharmacies, nursing homes, HMO's, health plans, health insurance companies, and vendors hired under certain conditions.

Data Breach Affects 4.9 Million Active And Retired Military Personnel And Their Families

TRICARE Management Activity, the health care program for military personnel worldwide, reported last week a massive data breach involving the personal and medical records of 4.9 million active and retired military personnel and their families. The backup computer tapes, stolen from a contractor's automobile, included records from a military health system that captured patient data from 1992 to September 7, 2011. The lost/stolen information included:

"... Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information..."

In its press release, TRICARE stated that it will take about four to six weeks to notify directly all breach victims. A breach investigation is underway. The contractor company is Science Applications International Corporation (SAIC). SAIC is operating an Incident Response Call Center, which breach victims can call. Breach victims should monitor their credit reports, and report any fraud to the U.S. Federal Trade Commission and to local law enforcement.

While TRICARE estimated the risk to breach victims as low, and stated in its press release that special computer hardware and software are required to access the data on the backup tapes. Based on this estimate, TRICARE is not offering breach victims complimentary credit monitoring or credit resolution services. In my opinion, that is unacceptable and not the way to support the troops. It places the burden on troops who are busy defending the country, often at risk of life. It is a time consuming and burdensome process to fix medical records that co-mingle both the victim's and the fraudster's health history. TRICARE and SAIC are responsible for maintaining adequate data security, and should do the right thing: provide free credit monitoring and credit resolution for two to five years to breach victims.

If there is one thing I have learned while writing this blog is that identity thieves and fraudsters are persistent, and often have access to the same computing resources that everyone else has. Simply, it may take time for the criminals to access the stolen data, and the criminals have the time. The value of the stolen data is unquestionable, and is sufficient for identity thieves to obtain medical care fraudulently, assume others' identities, and/or reuse the Social Security numbers for other identity fraud acts or fraudulent employment.

SAIC describes itself as:

"... a FORTUNE 500® scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. We do this with the constant and deliberate commitment to ethical performance and integrity that has marked SAIC since its founding."

Refusing to help breach victims by avoiding to pay for credit monitoring and resolution services does not demonstrate any type of "commitment to ethical performance" or problem solving. Rather, it is hoping the problem will simply go away, and leaves the breach victims with the monitoring and cleanup burden. To use an American football analogy, TRICARE and SAIC have simply punted the football.

Interested military personnel and families should read the TRICARE press release with accompanying questions and answers (PDF).

If you agree and believe that both TRICARE and SAIC should do more, share your opinions below and at:

• SAIC: Facebook, Twitter
• TRICARE Management Activity: Facebook, Twitter

Hays Apologizes For Email That Caused Breach At Royal Bank of Scotland

An employee at Hays, a global staffing and recruitment company used by the Royal Bank of Scotland (RBS), apparently sent an email which caused a data breach at RBS. According to the Kroll Ontrack Data Recovery blog, the email message:

"... detailed the pay rates of around 3,000 contract employees and was sent to some 800 RBS staff... Research by the Ponemon Institute earlier this year revealed that 19 per cent of data security breaches in the UK were caused by mistakes with emails..."

In 2009, the UK Office of Fair Trade fined hays 30.4 million pounds for price-fixing violations, allegedy to prevent a competitor from entering the construction industry.

In 2008, a hacker broke into the computer systems of RBS' payment processing unit, RBS WorldPay. About 1.5 million records were stolen, including the Social Security Numbers of about 1.1 million consumers. Several class-action lawsuits resulted from that data breach.

A year ago this month, the UK Financial Services Authority (FSA) fined members of the Royal Bank of Scotland Group (RBSG) 5.6 million pounds (about US $8.9 million) for failing to have adequate processes and controls, when RBS allegedly performed money laundering to companies on the UK financial sanctions list.

Kroll Ontrack provides a variety of services for companies to search, analyze, and recover data, including computer forensic analyses. In 2007, IBM hired Kroll to assist with IBM's February 2007 data breach. Kroll provided credit monitoring services to IBM's data breach victims.

Epsilon Breach Exposes Millions Of Consumers To Email Spam Attacks

You have probably heard about it in the news. In perhaps the largest data breach ever, a marketing e-mail company, Epsilon, has exposed the e-mail addresses of millions of consumers. Basically, a hacker broke into the company's e-mail computers and stole millions of e-mail addresses. The breach highlights several implications for consumers.

In a press release on April 1st about the breach, Epsilon, a unit of Alliance Data Systems Corporation, said:

"On March 30th, an incident was detected where a subset* of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."

Epsilon is one of several companies that companies outsource with to send out e-mail offers and deals. Epsilon sends out about 40 billion e-mail messages annually. This outsourcing (and the minimal amount of disclosure) is a fairly common business practice.

The list of Epsilon's clients include several brands you know: Capital One, Citibank, Best Buy, Disney, Home Shopping Network, JPMorgan Chase, Marriott Rewards, Ritz-Carlton Rewards, US Bank, Walgreen's, The College Board, Tivo, and others. On Monday, Epsilon released a very general update that:

"The affected clients are approximately 2 percent of total clients and are a subset of clients for which Epsilon provides email services."

Is that two percent of clients, or two percent of all clients' e-mail addresses? usually when a company is vague about details in a breach notice, things are bad. Plus, the investigation is not finished, so the two percent is probably an estimate and not a final number. I expected more details in the breach notice, including a description of Epsilon's data security actions to prevent a repeat data breach, and to find/prosecute the criminal(s).

You could say this breach notice is vagueness as usual.

This breach highlights several implications consumers should be aware of:

• Breach victims can expect to receive e-mail spam, where fraudsters and identity thieves send phishing e-mails to the stolen e-mail addresses to try to trick consumers into revealing financial information (e.g., credit card numbers, debit card numbers, Social Security numbers, bank account sign-in credentials). So, consumers should know how to recognize phishing e-mails.
• Many news stories mentioned the threat of "spear phishing," where fraudsters target e-mails at a specific company. Yes, that is a real risk. So, the bogus e-mails from spammers may be better crafted than usual and harder to spot.
• Companies regularly share consumers' personal information with other companies they do business with
• Website terms and privacy policies don't always disclose these other companies' names
• The recent trend is for advertising networks to collect more data about consumers. So, future breaches could expose more consumer data than e-mail addresses
• Everyone was lucky this time. The breach didn't include any personal financial or payment information
• Breach notices are often skimpy on details. that makes it tough for consumers to evaluate how security conscious the retailer (and the retailer's outsourced companies) is. Consumers must pressure their Congressional and State representatives for legislation that requires greater disclosures.
• If you are one of those newbie Facebook members with a profile page that is both open to the public and displays your e-mail address, then you are probably already receiving phishing e-mails and this Epsilon breach will just add to the volume in your e-mail inbox.

An I've Been Mugged reader shared the breach notice Walgreen's sent to its affected customers:

"From: Walgreens <Walgreens@email.walgreens.com>
Subject: A Message from Walgreens
Date: Monday, April 4, 2011, 9:17 PM

Dear Valued Customer,

On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization.

We have been assured by Epsilon that the only information that was obtained was your email address. No other personally identifiable information was at risk because such data is not contained in Epsilon's email system.

For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Walgreens.

We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Walgreens Customer Service Team"

That's all Walgreens has to say? How can Walgreens be confident when Epsilon isn't finished with its investigation? I expected Walgreens to say much more. Is Epsilon the best e-mail outsource vendor with data security? How is Walgreens working with Epsilon so this doesn't happen again? What updates about the breach investigation are Walgreens executives demanding? How many Walgreens customers were affected?

What's your view of this breach and the breach notices? Were you affected by the breach?

[Note: April 7 -- TechCrunch published the breach notice from The College Board. The CEO of Alliance Data apologized for the breach at its Epsilon unit.]

<a href="http://ivebeenmugged.typepad.com/my_weblog/photos/logo_epsilon.jpg">Download logo_epsilon.jpg (3.7K)</a>

I've Been Mugged Mentioned in SC Magazine

The CyberCrime section of SC Magazine recently ran a two-part article series on the identity-theft risks with call centers. This blog was mentioned in part one and in part two. I was asked about the risk issue related to consumer notification of breaches by vendors or subcontractors located outside the USA. It was also an opportunity to mention my four-part series from 2008 about offshore outsourcing.

I encourage I've Been Mugged readers to visit the article series. Thanks to Charles Jeter and SC Magazine for the coverage.

Taxpayer Stimulus Funds Used By Vendor For Offshore Outsourcing

Periodically, this blog covers outsourcing and offshore outsourcing because much of consumers' sensitive personal data is transmitted to and processed by companies in remote locations and/or other countries. On Monday, the NBC affiliate in Columbus Ohio reported the results of an investigation where the State of Ohio award a contract (funded by taxpayers stimulus money) to a company that outsourced the jobs to a firm outside the USA.

This is wrong is so many ways. Stimulus money is for jobs here, not overseas. And, companies need to be transparent in disclosing their outsourcing activities, especially in website terms. The televised news report:

Poll: Readers' Attitudes About Offshore Outsourcing

Over the past few months, I ran an informal poll on this blog asking readers about their attitudes toward offshore outsourcing. While corporations are good at assembling resources and products from various geographic areas to deliver low-priced goods to consumers, a seldom discussed aspect is that corporations also transmit customers' sensitive information between offices and vendors in several countries.

Consumers are well aware of offshore outsourcing when they talk with a customer service representative who clearly has an accent and is located in another country. Many offshore outsourcing activities are hidden from consumers and customers when those activities are performed in back-office or support operations. I explored in a four-part blog series the issues with offshore outsourcing by the major credit reporting agencies. For example, when consumers submit via paper corrections to their credit reports, those corrections are often entered by staff or vendors located in other countries.

With all of this in mind, I asked I've been Mugged readers to select the statement which best describes their attitudes about offshore outsourcing and consumers' credit information. Here are there responses:

• 14% of respondents felt that companies should not perform offshore outsourcing under any circumstances
• An equal number (14%) felt that offshore outsourcing is okay generally, but shouldn't be used for financial and credit information
• The greatest number of respondents (36%) felt that companies should notify customers if they perform offshore outsourcing and customers should have a choice to opt-out
• Far fewer respondents (9%) felt that companies should notify customers if the company's offshore outsourcing includes customers' sensitive data
• 18% of respondents felt that U.S. Congress needs to do more about offshore outsourcing (e.g., legislation for oversight, auditing, data breach notification, etc.)
• 5% felt that credit monitoring services shouldn't perform offshore outsourcing
• 5% don't care whether companies perform offshore outsourcing or not

What to make of these results? First, this was an informal poll. So, it captured the opinions of only I've been Mugged blog readers. Readers of this blog are consumers who have been affected by identity theft, fraud with bank accounts, fraud with their credit reports, and/or data breach victims.

So, the readership of this blog is somewhat of a self-selecting group that has an interest and knowledge about privacy and their sensitive personal information. For the results to be applicable to the entire U.S. population, the survey participants should have included a random selection from the broader U.S. population.

Second, I believe these results are directional in that consumers want to be informed and want control over their sensitive personal information. It was not surprising to me that the greatest number of respondents (36%) felt that companies should both notify customers if they perform offshore outsourcing and provide their customers with an opt-out mechanism.

This indicates that consumers want to be notified and want control over who has access to their sensitive personal information. The company-customer relationship is built on trust. This sensitive customer information It is not for corporate executives to treat as if it is theirs alone.

Like it or not, companies will have to recognize and deal with this reality.

TransUnion And Acxiom Modify Their Arrangement

I wrote a 4-part series in 2008 about the three major credit reporting agencies and offshore outsourcing. I have not written much about Acxiom, a company that archives and data-mines massive amounts of information about consumers. This blog post is a start to correct that reporting oversight about Acxiom.

RTT News reported:

"TransUnion, and Acxiom Corp. announced a renewed agreement... Under the new multi-year agreement, Acxiom said it will continue to manage the operation of TransUnion's sophisticated mainframe environment and supporting network processes. In addition to delivering robust and secure infrastructure management, Acxiom and TransUnion will continue to combine their data and technology expertise to help clients create accurate, real-time and consistent information across their enterprises and also enable them to drive highly personalized marketing via both companies' multichannel solutions."

Medical Tourism: All Of The Places Patients' Health Records Will Go

I found this Business Insurance article interesting:

"When Scarborough, Maine-based supermarket chain Hannaford Bros. Co. announced last year that it would begin sending its employees to Singapore for knee and hip replacements to save the company money, it attracted the attention of several hospitals in Boston that offered to match the price. What the company probably did not realize at the time was that it was at the forefront of an emerging market: domestic medical tourism. Unlike foreign medical tourism, patients don't leave the country. Instead, they travel to another city within the United States to have procedures for up to 75% less..."

Sounds like outsourced health care to me. The companies involved in this are those companies that fund their own health care programs for their employees.

I found this interesting for several reasons. First, who knew that domestic medical tourism is a growth industry?

"... BridgeHealth International Inc., for example, launched its domestic network of 15 hospitals across the United States about six months ago in response to demand from its insurer and TPA clients... Olympus saw the opportunity to use its existing infrastructure of nearly 30 domestic medical facilities to market to insurers, TPAs and self-insured employers that, like Hannaford, are looking to achieve the cost savings of medical tourism without leaving the country... Healthplace America, which specializes in domestic medical tourism, set up shop last year to market directly to self-insured employers. The Lisle, Ill.-based company provides access to a specialty network of 22 U.S. hospitals."

According to the Examiner.com, medical tourism:

"... is growing at an astonishing rate. The Centers for Disease Control (CDC) estimates that in 2006, half a million Americans traveled abroad for health care. According to the Deloitte Survey of Health Care Consumers, the number rose to 750,000 in 2007; the report projects that the figure will increase to 6 million by 2010... People travel abroad for root canals, routine dental work, face lifts, hysterectomies, joint replacement, and bypass surgery... Some of those heading overseas are among the nearly 50 million Americans without health insurance."

There is even a magazine devoted to the medical tourism industry.

Second, this represents another situation where more companies (domestic and foreign) besides the employer will share consumers' sensitive personal data. In this model, who ensures data security? Who notifies and helps the employee/consumer when there is a data breach? What happens when the outsource health care firm is located in a state without consumer breach notification laws?

Third, whether it is domestic medical tourism or foreign medical tourism, I wonder what control or choice the employee has beyond elective procedures.

Fourth, the phrase "medical tourism" is misleading. It makes it sound so benign. Tourism is when the consumer visits a place to visit based on their interest or choice. Let's call it what it is: outsourced health care (domestic) and off-shore outsourced health care (foreign).

Delta Returns Outsourced Call-Center Jobs From India To USA

From the Boston Globe newspaper:

"Delta says it's no longer outsourcing reservation calls to India. Why? The move was made in response to years of complaints by American customers who say they sometimes have a tremendous amount of difficulty understanding the foreign telephone workers."

The airline company closed its India call-center during the first quarter of 2009, and employs about 4,500 call-center workers in the USA. will continue to operate call centers in Jamaica and South Africa. Delta Air Line's offshore outsourced call-center change comes about two months after United Airlines announced the closing of its call center in India.

While the changes affect a tiny number of jobs, I believe that this is important for several reasons. First, it is good that Delta is responding to customer dissatisfaction. Poor quality or incompetence is unacceptable in whatever country the call-center is located.

Second, both airlines have been transparent in their communications with consumers. More companies need to follow their lead and tell consumers exactly what they are doing.

Third, Delta's move may or may not be a positive one in the long term. It depends how the company handles customer service. The move will be a positive one if Delta improves its human customer service. The move will be a negative one if Delta replaces human customer service with automated messages, forcing consumers to navigate an extensive loop of phone-based menu selections, and reply only via e-mails or letter. There are certain instances when consumers need to talk with a human customer service representative.

Fourth, when companies use offshore outsourcing, it means that customers' sensitive personal data is being moved across country borders. Call-centers in more countries means more risk since more sensitive personal data is moving around the globe; risks that companies rarely discuss including the associated data breaches at these call-center locations.

Fourth, like the airline companies all of the major credit reporting agencies outsource their call-center operations to vendors in several countries. Since I began this blog, I have repeatedly heard complaints from consumers about poor and low-quality customer service, especially about the agencies' online credit monitoring services. The silence and lack of transparent communications by the credit reporting agencies speaks volumes about these companies' lack of consumer focus.

Consumers Should Care What Personal Data Search Engines Collect

Prior posts covered behavioral advertising: opt-in versus opt-out system structure and notification issues, and the role of Internet Service Providers (ISPs). If you are new to the topic (or new to the Internet), there is a good primer article by CNN Money which highlights the issues consumers should know about search engines:

"Alone with just your computer screen, these searches can feel very private. But Google & Co. gather a lot of information about you as you surf, including the date and time for your search, your search terms, and your IP address, which is an 11-digit number that identifies your computer and, more important as far as advertisers are concerned, your location."

Internet users as young as teenagers need to know that:

"There are many free online tools, but they're not really free," explained Greg Conti, a professor of computer science at West Point and the author of Googling Security: How Much Does Google Know About You? "We end up paying for them with micro-payments of personal information..."

This is important because data breaches happen. Companies participating in targeted advertising will have consumers' data stolen or lost. It's important because consumers' privacy needs to by adequately protected:

"... Yahoo said it would keep personally-identifiable information in its database for no more than 90 days, down from 13 months previously... Google said it would keep your data for nine months instead of 18 months. Microsoft retains your information for 18 months... There are big differences, however, in the way that companies make user information anonymous. Google and Yahoo, for instance, block the last three digits, known in tech circles as the "last octet," of your IP address. Microsoft says it deletes the entire address."

Who knows what is really going on? The problem is: there isn't oversight. There isn't an independent audit. There is no way for consumers to know if the companies are honoring their data security as promised. This is critically important also because so much of consumers' sensitive personal data is outsourced overseas.

I am not saying that more government is the solution. Perhaps an an audit group partially funded by the search engine industry is the answer. Perhaps state and federal ID-theft legislation should be amended to require proper anonymizing of consumer data by search engines and other companies participating in targeted advertising. Perhaps amended FTC guidelines is the answer.

Whatever the solution, companies must protect consumers' personal data like nuclear fuel. What do you think?

Report: Cyber Criminals Selling Data About 21 Million German Consumers' Bank Accounts

What is your bank account data worth on the black market? This Germany data breach shows the value of sensitive consumer data. On Monday, IT World reported:

"Reporters for WirtschaftsWoche (Economic Week) managed to obtain a CD containing 1.2 million accounts after a November face-to-face meeting with criminals in a Hamburg hotel, according to the magazine. Posing as buyers working for a gambling business, the journalists were able to strike a price of €0.55 per record, or €12 million for all the data. They were given a CD containing the 1.2 million accounts when they asked for assurances that the information they would be buying was legitimate."

The cyber criminals offered to sell the sensitive consumer data (e.g., 21 million German bank accounts) for a reported 12 million Euros or about US $15 million. That's about US $ .70 per account, depending upon the exchange rate. Apparently, that is the low price:

"When sold in small quantities, full bank account details can fetch as much as $1,000 per record..."

That means, a criminal paying $1,000 for each consumer's stolen bank account data expects to steal at least that amount. What data was stolen, and how?

"That CD contained the names, addresses, phone numbers, birthdays, account numbers and bank routing numbers of the theft victims, they reported. In some cases, the victim's account balance was also provided. The data was most likely collected from call center employees, the magazine reports."

As I have written previously in this blog, there clearly are data security risks with offshore outsourcing and many U.S. companies, including the three national credit bureaus, outsource their call center operations. Also, even though the online passwords weren't included in the stolen data, the cyber criminals have enough personal data about the German bank account-holders to impersonate them, withdraw money from their bank accounts, and ultimately acquire (and/or change) the consumers' online passwords.

Data Breach At Colt Express Outsourcing Services. Vendor Leaves Data Breach Victims Hanging

According to PC World, a data breach occurred Colt Express Outsourcing Services when thieves broke into the company's Walnut Creek, California offices and stole several computers. Colt Express administers the benefit plans for C/NET and other companies. About 6,500 C/NET employees have been notified.

The computers contained very sensitive personal information including names, birth dates, Social Security numbers and employment information. This story highlights the fact that outsourcing vendors can be identity theft targets, since these vendors are a rich source of sensitive data about employees and contractors.

Four days after the break-in, Colt Express installed a security system with an alarm. It is unclear whether the information was encrypted or not. According to the PC World news story:

"Customers looking for free credit-monitoring services from Colt Express should not get their hopes up, however. Colt's letter included some marketing materials for Kroll, a company that helps companies respond to data breaches, but the information was provided "only out of courtesy and to give you an idea of the types of services available... By this letter and enclosures we are providing you with all the information we believe you need and that we are able to give you. We do not have the resources financial and otherwise to assist you further."

Apparently, Colt Express is going out of business. Regardless, I encourage the affected companies to look for a benefits plan administrator with strong data security processes in place. Or, the affected data breach victims should pressure their employers to select a benefits plan administrator with strong data security. Colt Express is not very responsive to the needs of its data breach victims. I've Been Mugged readers are well aware of the damage identity thieves can do with stolen Social Security numbers.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 4)

Prior posts discussed offshore outsourcing about TransUnion and TrueCredit. Laurie has problems with TransUnion's credit monitoring service, TrueCredit, and support from its call center. Laurie is worried that if TransUnion (and TrueCredit) outsource their operations and her credit information, she won't have the same protections she would have otherwise -- since data security laws vary in other countries. I'd promised Laurie that I'd try to find some answers to her questions. So far, I've learned that both TransUnion and TrueCredit, its credit monitoring service, both offshore outsource.

To learn more about offshore outsourcing within the credit bureau industry, I reviewed the 10K document Equifax filed with the U.S. Securities and Exchange Commission. Equifax is publicly-traded while TransUnion is privately-held. The S.E.C. requires public companies to submit certain filing documents. Both collect consumers credit information, sell credit reports to potential lenders, and operate credit monitoring services. A publicly-traded company's 10K filing usually tells more about its operations than its Annual Report document.

A view of Equifax's operations would provide a perspective about TransUnion, since both companies perform similar activities. To stay competitive, TransUnion would attempt to maintain a similar cost structure to its competitors -- Experian and Equifax.

From the Equifax 10K document:

"Upon our acquisition of TALX Corporation, or TALX, on May 15, 2007, we became a leading provider of payroll-related and human resources business process outsourcing services in the United States of America, or U.S. We currently operate in three global regions: North America (U.S., Canada and Costa Rica), Europe (the United Kingdom, or U.K., the Republic of Ireland, Spain and Portugal) and Latin America (Brazil, Argentina, Chile, El Salvador, Honduras, Peru and Uruguay). Of the countries in which we operate, 73% of our revenue was generated in the U.S. during 2007."

Some interesting information about the business risks Equifax sees and how that risk relates to outsourcing activities:

"Our ability to provide reliable service largely depends on the efficient and uninterrupted operation of our computer network systems and data centers. Some of these systems have been outsourced to third-party providers. Any significant interruptions could severely harm our business and reputation and result in a loss of customers."

If you read further into the 10K document, Equifax lists its contractual obligations which include outsourcing expenses:

Payments Due By:	Total	Less Than 1 Year	1 To 3 Years	3 To 5 Years	Thereafter
Data processing, outsourcing agreements and other purchase obligations* ($millions)	$305.5	$88.5	$103.3	$90.2	$23.5
* These agreements primarily represent our minimum contractual obligations for services that we outsource associated with our computer data processing operations and related functions, and certain administrative functions. These agreements expire between 2008 and 2014.

The document also states:

"Data Processing, Outsourcing Services and Other Agreements. We have separate agreements with International Business Machines Corporation, or IBM, Acxiom, GenPact, TCS and others to outsource portions of our computer data processing operations, applications development, maintenance and related functions and to provide certain other administrative and operational services. The agreements expire between 2008 and 2013. The estimated aggregate minimum contractual obligation remaining under these agreements is approximately $305.0 million as of December 31, 2007, with no future year expected to exceed approximately $90.0 million... In certain circumstances (e.g., a change in control or for our convenience), we may terminate these data processing and outsourcing agreements, and, in doing so, certain of these agreements require us to pay a significant penalty."

I wonder exactly what's in "related functions and to provide certain other administrative and operational services." That sounds like call centers. Equifax's outsource agreement with IBM:

"Our data processing outsourcing agreement with IBM was renegotiated in 2003 for a ten-year term. Under this agreement (which covers our operations in North America, Europe, Brazil and Chile), we have outsourced our mainframe and midrange operations, help desk service and desktop support functions, and the operation of our voice and data networks. The scope of such services varies by location. During 2007, 2006 and 2005, we paid $115.0 million, $112.1 million and $120.8 million, respectively, for these services. The estimated future minimum contractual obligation at December 31, 2007 under this agreement is approximately $255.0 million, with no year expected to exceed approximately $55.0 million. We may terminate certain portions of this agreement without penalty in the event that IBM is in material breach of the terms of the agreement."

If my friend, Laurie, decides to switch credit monitoring services... drop TrueCredit and sign up for another credit monitoring service by Experian or Equifax, she can reasonably expect that they outsource also. Like TransUnion, Equifax also operates several credit monitoring services, with varying features.

The economic reasons for companies to outsource work are understandable: to manage costs and stay profitable in a competitive business environment. My point is this: should they? Is it wise to offshore outsource work involving sensitive financial data? Is it wise to do so if the company can't provide a high-quality call center operation?

I had to dig deep to find some information about the company's offshore outsourcing activities, since this data isn't readily available in the company's web site. Is it wise to do so without informing consumers? Is it wise to do so if consumers prefer otherwise?

The three national credit bureaus assume that the lowest-cost for credit information is best for consumers. Laurie's concerns suggest otherwise, that consumers want both protection and a reasonable price; not the absolute lowest price. A service with a low price and no data security isn't worth much. Consumers now realize that bad things happen: data breaches. There is always risk. And, one can reasonably expect bad things to happen with offshore outsourced credit information just like data breaches within the USA.

There has to be a balance between a company's need to manage costs, and consumers' need to trust the companies they do business with. Consumers now know today that companies suffer data breaches. Some consumers know first-hand the expense, hassle, and grief involved with restoring their information and credit after a criminal has hacked their financial accounts.

I'll bet that when given a choice, consumers prefer that their credit and financial data is kept within their country's borders, rather than being transmitted around the globe. Laurie's concerns reflect this. It all goes to the level of risk people are willing to accept. Experts have identified the data security risks of offshore outsourcing. The fewer places credit and financial data are transmitted, the less chances for bad things to happen. More importantly, it is unclear about exactly which country laws govern the protection of consumer credit and financial data. It is unclear which country laws govern the notification when the company (e.g., TransUnion, True Credit) suffers a data breach by an outsource call center vendor in another country.

That data breach in another country may never happen, but if and when it does, consumers have a right to know - promptly.

What do you think? Take our poll today or submit a comment below.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 3)

Prior posts discussed offshore outsourcing and TransUnion. Laurie has problems with TransUnion's credit monitoring service, TrueCredit, and support from its call center. Laurie is worried that if TransUnion and TrueCredit outsource portions of their operations, she won't have the same protections she would have otherwise -- since data security laws vary in other countries. I'd promised Laurie that I'd try to find some answers to her questions.

A wider search found information about TransUnion's participation in industry events for outsourcing professionals. The International Association of Outsourcing Professionals published information about a June 2007 event:

"Performance Monitoring Goals and Requirements for BPO Operations (Call Centers)
Brad Rubin, Director of Operations for TransUnion Interactive (formerly TrueCredit)

• Overview of the business requirements for using tools to monitor the overall performance of BPO Call Center Operations
• Discussion of the functionality needed and the types of tools that were examined to achieve TransUnion’s goals.

Brad Rubin is responsible for managing all BPO operations where he has transformed the service operations into a global multi-site operation. Prior to TransUnion, Brad was with Accenture in San Francisco.

So, it appears that TransUnion, parent company, and TrueCredit both perform offshore outsourcing. This is the first time I have ever heard of a credit monitoring service that performs offshore outsourcing. According to a 2006 Janeeva, Inc. press release:

"Janeeva, Inc., the industry leader in ORM (Outsourcing Relationship Management) software, today announced that TrueCredit, a division of TransUnion and a provider of credit management services, has implemented Janeeva Assurance™ software to manage multiple outsourced vendor relationships. True Credit is experiencing rapid growth, and customer care via their call centers is critical to their success. With multiple offshore call center locations comes increased complexity that Janeeva helps manage."

So, TrueCredit has contracts with several outsourcing firms. According to a November 2006 entry at Outsourcing Magazine (OM):

"About Blogger Brad Rubin: Brad Rubin is currently the Director of Operations for TrueCredit, a wholly-owned subsidiary of TransUnion, LLC. While at TrueCredit, Mr. Rubin has been responsible for managing all business process outsourcing (BPO) operations. He has successfully transitioned the TrueCredit service delivery platform into a global, multi-site operation. In addition to his work at TrueCredit, Mr. Rubin is an active speaker within the outsourcing community. In 2006, he participated in the Outsourcing Relationship Management Forum at the University of Michigan and the Telecommunications Risk Management Association (TRMA), Summer Conference. In 2007, he will be presenting a case study entitled Managing Multi-Vendor Environments with Relationship Management Software at the International Association of Outsourcing Professionals (IAOP), World Summit."

The OM site provides Mr. Rubin's e-mail address and his blog address: www.sourcingprofessional.com. I scanned several posts in Mr. Rubin's blog. He mentioned TransUnion's offshore outsourcing activities with vendors in Manila (Philippines), Central America, and New Delhi (India). According to Mr. Rubin's blog, TransUnion is considering new offshore outsourcing arrangements in Cebu (Philippines) and Guatemala. While I haven't read all of the posts in Mr. Rubin's blog, so far I haven't seen any posts about data security or data breach notification.

Now, my friend Laurie knows that both TransUnion and TrueCredit perform offshore outsourcing. We now have idea of some of the country locations. We don't know yet which outsourcing firms. Maybe Mr. Rubin can help Laurie resolve her problems with TrueCredit's customer service department. Maybe Mr. Rubin can explain the scope of TrueCredit's offshore outsourcing activities. Maybe Mr. Rubin can explain the data security processes TransUnion takes to ensure the protection of Laurie's and others' credit information. Maybe Mr. Rubin can provide a list of the specific offshore outsourcing locations and firms.

Last weekend, I wrote to Mr. Rubin asking for answers to the questions above. In my e-mail message to Mr. Rubin, I shared Laurie's message and concerns. So far, I haven't received a response from him, or from anyone at TransUnion. If he responds, I will post his reply in the I've Been Mugged blog.

The economic reasons for companies to outsource work are understandable: to manage costs and stay profitable in a competitive business environment. That's one reason why I titled these posts, "Is It Wise...?" and didn't title it "Is It Profitable...?" Of course, outsourcing and offshore outsourcing are profitable. That's why companies do it.

My point is this: should they? Is it wise to offshore outsource work involving sensitive financial data? Is it wise to do so without informing consumers? Is it wise to do so if consumers prefer otherwise? Is it wise to do so if the company can't provide a high-quality call center operation?

There has to be a balance between a company's need to manage costs, and consumers' need to trust the companies they do business with. Consumers intuitively sense that there's less risk to their sensitive data if companies keep it within their country borders. Some experts have identified the data security risks of offshore outsourcing.

I'll bet that when given a choice, consumers prefer that their credit and financial data is kept within their country's borders, rather than being transmitted around the globe. It all goes to risk. The fewer places credit and financial data are transmitted, the less chances for lost or stolen data. More importantly, it is unclear about exactly which country laws govern the protection of consumer credit and financial data. It is unclear which country laws govern the notification when the company (e.g., TransUnion, True Credit) suffers a data breach by an outsource call center vendor in another country.

That data breach in another country may never happen, but if and when it does, consumers have a right to know - promptly.

More about this next week.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 2)

Yesterday's post discussed the problems Laurie is having with her TransUnion credit monitoring service, and the related questions about legal protections when credit companies perform offshore outsourcing. I'd promised Laurie that I'd try to find some answers to her questions.

Meanwhile, Laurie contacted me again:

"I continue to call TransUnion (TrueCredit) and I leave messages for somebody in a managerial position to contact me but I never get a domestic employee. When I ask the phone associates where they are located they tell me they are prohibited from telling me. It's a vicious cycle because there's no mailing address and the potential for online help abuse is the same as telephone support. This is sensitive information I'm disclosing and all my alarms are going off like bells and buzzers."

Yesterday's post covered news reports from 2003 and 2004 about the credit bureaus' offshore outsourcing activities. In 2003, the bureaus promised more openness about their outsourcing plans, but the call center representatives' answer above does not show any openness.

So, I decided to look more closely at TransUnion, since that company was the source of Laurie's difficulties. Like most companies, TransUnion publishes its Corporate Privacy Policy on its main Web site. This seemed like a good starting point, since this document usually discloses what the company does with any sensitive consumer data collected within the site:

"Please carefully read our privacy policy to understand how we will treat the information you provide while visiting this web site or the web sites of most of our domestic subsidiaries and affiliates ("Web Site")... This privacy policy applies to TransUnion and its domestic subsidiaries and affiliates, except for TransUnion Consumer Solutions and TrueLink, Inc., who maintain their own privacy policies."

Note the emphasis on domestic subsidiaries. That refers to TransUnion divisions, companies, or business units within the USA. It implies that divisions, companies, or business units elsewhere are not subject to this Privacy Policy, a different Privacy Policy, or none at all. That should be unsettling to consumers. Why? TransUnion's approach to privacy policies forces users to wade through several documents that aren't that easy to read nor find. TransUnion has operations in 25 countries on 5 continents. So far, no explicit mentions about outsourcing in this TransUnion Privacy Policy.

Next, I checked the Privacy Policy at TrueCredit, TransUnion's credit monitoring service, since Laurie is a subscriber. The TrueCredit Privacy Policy is more detailed and more comprehensive. It contains details about several subjects: what data the company archives, what happens when users opt-in to e-mail updates, how its web site works with the user's Web browser, the company's approach to online advertising, what situations TransUnion shares data with contractors, and so forth.

I'd like to give TransUnion and TrueCredit at least one "attaboy" for sharing this amount of detail in the TrueCredit Privacy Policy. However, this document didn't mention outsourcing either.

I also checked the Public Policies pages within the TransUnion site. No mentions of outsourcing there, either. Sadly, this site section was very thin regarding content. The little bit of copy on three pages could have easily been presented on a single page. Whatever promises TransUnion made in 2003 about more openness about its outsourcing activities, weren't being fulfilled in 2008.

Next, I looked for TransUnion's Annual Report and 10K filings; documents by publicly owned companies within the USA. TransUnion is privately held, so it is not required to provide these filings which the U.S. Securities & Exchange Commission requires of publicly-traded companies. Hence, it is more difficult to obtain detailed information about a privately-owned company... and any offshore outsourcing activities it might be engaged in.

Difficult, but not impossible. More about this tomorrow.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1)

A friend, Laurie, wrote to me recent about difficulty she is having with her credit monitoring service:

"In my effort to reduce the likelihood of identity theft, I've ordered a credit check from TransUnion this year as I have for the past 3. This year I had a hard time logging on so I called the help line. It was answered instantly by somebody who asked for my Social Security number. Of course it seems like a natural question from a credit bureau but I had the feeling the operator was an outsourced worker from India. I gave her my data but I still couldn't log in. After further attempts to reach TransUnion in the USA I've discovered it is nearly impossible. I feel like I got sucked into a trap door set for the financially paranoid! Have you heard of this being a problem? Do institutions outsourcing labor in other countries have to comply with the same laws? Do you have any way around credit reporting when it's done overseas?"

Laurie's situation caught my attention first because a friend was having difficulty getting the help she needed. Her situation also caught my attention because of the increasing popularity of credit monitoring services. All consumers demand effective and high-quality customer service... perhaps more so when it involves sensitive personal data, like credit reports.

So, I promised Laurie that I'd try to find answers to her questions. Maybe Laurie had encountered a new or poorly trained call center representative; or a representative with a thick accent. This could happen with any business. Regardless, consumers have an expectation for efficient, quality customer service. And according to Laurie's message, TransUnion's customer service isn't helping and is difficult to contact.

Some background: TransUnion is one of three national credit bureaus (also called credit reporting agencies) in the USA. The national credit bureaus play three roles in the credit services industry:

1. Collect and archive credit reports with consumers' sensitive personal and financial data
2. Sell credit reports to potential lenders
3. Sell credit monitoring services to consumers

The data collected in role #1 includes: Social Security Number, birth date, full legal name, current and past residential addresses, credit cards, loan accounts and information, credit score, employer information, e-mail address, and payment histories. But this data isn't always accurate. Even though credit bureaus make money by selling consumers' credit reports, it is the consumers' responsibility to check their credit files for accuracy at each of the three national credit bureaus.

Regarding role #3, TransUnion operates the TrueCredit credit monitoring service.

One could debate whether roles #2 and #3 present a conflict of interests, perhaps similar to the role a computer software company has when it sells operating system software and application software. But, that debate must wait until after I answer Laurie's questions.

Laurie's message raised the subject of outsourcing, but more specifically off-shore outsourcing. Like many Americans, Laurie probably has an impression that the three national credit bureaus support their credit monitoring service subscribers with systems entirely within the subscriber's home country. In other words, consumers intuitively sense that there's less risk to their sensitive data if companies keep it within their country borders. Some experts have identified the data security risks of offshore outsourcing.

If this local-same-country processing and archiving isn't the case, then consumers intuitively assume that their personal data is at greater risk. How much more risk? Consumers don't know and the companies rarely say. Laurie has gone the extra step and asked: if her credit service offshore outsources, does she have the same data protections? Does the outsource firm have the same rigorous data security processes and policies? Which country's laws apply, if any, regarding data security standards? If there's a data breach by the outsource vendor in another country, will she be notified? Will that notification be accurate and timely?

Consumers' impressions that the three national credit bureaus don't outsource work are inaccurate. A news literature search found this San Francisco Chronicle article from November 2003:

"Two of the three major credit-reporting agencies, each holding detailed files on about 220 million U.S. consumers, are in the process of outsourcing sensitive operations abroad, and a third may follow suit shortly, industry officials acknowledge for the first time. Privacy advocates say the outsourcing of files that include Social Security numbers and complete credit histories could lead to a surge in identity theft because U.S. laws cannot be enforced overseas... The top credit agencies -- Equifax, Experian and Trans Union -- have refused in the past to comment on their outsourcing plans. No longer."

The article also reported this about TransUnion:

"A hundred percent of our mail regarding customer disputes is going to go to India at some point," said David Emery, executive vice president and chief financial officer of TransUnion in Chicago. "We are now testing the system and negotiating a contract with an outside vendor. We expect to sign that contract by the end of the year." Emery said in an interview that the decision to have an Indian firm handle thousands of written requests for changes to credit files each year was necessitated in part by the amended Fair Credit Reporting Act, which was approved by the U.S. Senate on Wednesday.

So, it would appear that (for a variety of reasons) at the end of 2003, TransUnion was planning to outsource work to firms in other countries. Since I am not a lawyer, I cannot provide a legal opinion on the laws which govern outsourcing and the credit industry. Nor can I provide an interpretation of the Fair Credit Reporting Act referenced by Emery above. For legal assistance regarding credit information, the Privacy Rights Clearinghouse recommends that consumers contact the National Association of Consumer Advocates, or the list of attorneys at My Fair Credit.

A Wired story from 2004 titled "Outsourcing: Danger to Privacy" reported:

"Democratic Sen. Dianne Feinstein warned the chief executives of banks and credit companies this week that she would crack down on them if they didn't take steps to protect their customers' private data, such as medical and financial information, which is increasingly being handled by clerks working abroad. In a letter to the CEOs of Citigroup, Bank of America, Equifax and TransUnion, Feinstein (D-California) said she might introduce federal legislation to protect the personal data of Americans if the companies don't establish safeguards... All of the recipients of Feinstein's letter already have outsourced clerical services, or have stated their intent to do so."

To my knowledge, that crack-down never happened. It would seem that the US Congress has basically said to credit bureaus: go ahead and outsource, but you'd better not have any consumers' credit or financial data lost or stolen. And, we consumers have elected those members of Congress.

The article didn't explain exactly how Congress would oversee the companies' outsourcing activities in other countries. The article didn't say how Congress would monitor or audit the companies' compliance with the safeguards, or collect timely and accurate data breach notices about any lost, stolen, or mishandled consumer data by firms operating outside the USA.

A lot has happened since that 2003 article. Maybe, the companies' outsourcing plans, activities, or scope have changed. The fact is identity theft and fraud have blossomed as a problem since 2003. Plus, the 2003 San Fran Chronicle article made it clear that the credit bureaus were no longer going to hide their off-shore outsourcing plans and activities.

More about all of this tomorrow.