Visa Survey Claims Consumers Lose $1 A Day In Cash

While surfing the web recently, I ran across a news item at Talking Payments, a website for people and companies (e.g., banks, retailers, card issuers, payment processors, etc.) interested in digital payments. The TP news item mentioned a study by Visa that consumers lose, on average, about $1.00 a day.

To learn more about the Visa study, I next visited the Visa Viewpoints website. The August 2012 survey included 5,641 people in Australia, India, Indonesia, Japan, Russia, Singapore, South Africa, South Korea, Taiwan, Thailand, the UAE, and the USA. View the infographic about the study (Adobe PDF). The survey tries to document the "cost" to consumers of using cash by adding cash lost plus idle cash. Some findings:

• In the US: $365 lost cash = $285 in lost foreign currencies after trips + $80 in idle cash lying around your home, office and/or car.
• In the US: men ($331) lose more than women ($245). And, younger people ($165) lose more than older people ($135).
• Lost cash varies across countries: Singapore ($656), Australia ($361), Japan ($349), and Russia ($137)

At first read, this seems very interesting. The implication of this study is that consumers who use payment cards (e.g., credit, debit, or prepaid) won't lose cash daily. Losing $1.00 a day in cash equals about $30 a month, or $365 a year.

Do you lose $1.00 a day in cash? I don't. I know this as I check the cash in my pocket at the end of the day -- everyday. When I receive change in the form of bills, I place that change in my wallet immediately. And, I don't consider idle cash as "lost." Maybe you do, but I don't. So, I am wondering exactly what consumers really lose $1.00 a day cash, and if people really lose that much cash daily.

One of the footnotes in the Visa inforgraphic reads:

"2. Foreign currencies given as tips given away in airports and/or misplaced."

What? So, a portion of the supposedly lost foreign currencies includes tips. I don't consider tips as lost money. When traveling, I tip bellhops, taxi drivers, and others who help me with my luggage. That's not lost money, That is paying for services received. Sometimes, I have foreign currencies left over from a trip, but that amount is nowhere near $285. It's under $5.

What's really going on here?

In my view, several things. First, banks really want to capture usage from consumers who don't have traditional bank accounts, or have only one account (e.g., checking or savings). Second, banks really want consumers to migrate to prepaid cards where there are fewer regulations for them; which means fewer or weaker consumer protections and consumer rights. That includes banks working with employers to provide payroll cards and banking services via prepaid cards, and/or health care spending accounts via prepaid cards. To learn more, read the list of prepaid card fees in this blog post, the payroll cards from Bank of America, and the Walmart MoneyCard.

To me, the study methodology compiled numbers in a way to inflate the amounts lost to justify these business goals.

Third, even if you lose as much as $1.00 a day in cash, a fair comparison is to consider the fees associated with prepaid cards, and if those those fees are greater than the cash you really lose. CNN Money found that basic prepaid card fees are about an average of $300 per year. That is almost as much as the supposed cash lost by consumers in the US, Australia, and Japan. Those average prepaid fees exceed the cash lost by consumers in several countries.

Both CNN Money and Consumer Reports found a wide variety of fees when it investigated prepaid cards: activation fees, monthly fees, reload fees, cash withdrawal fees, inactivity fees, online payment fees, paper statement fees, customer service phone call fees, and more.

What do you think of the Visa lost cash study?

Report: It Takes Months For Organizations To Detect And Resolve Data Breaches

I started writing this blog after a data breach at a former employer exposed my sensitive personal information. The consequence was that I had to take action due to a former employer's sloppiness.

Given that history, a new report by the Ponemon Institute, and sponosred by Solera Networks, caught my attention. The report included results from a study of data breaches in organizations to understand the differences between malicious and non-malicious data breaches, plus any lessons learned from the post-breach and forensic investigations.

Typically, after a data breach organizations' IT departments investigate independently or with the assistance of an outsourced technology consultant, the data breach. That investigation includes the cause of the breach, the specific computer systems and/or networks compromised, the number and types of records accessed (e.g., current employees, prior employees, contractors, students, etc.), and the specific data elements (e.g., names, street addresses, bank account numbers, Social Security numbers, e-mail passwords, etc.) accessed and/or stolen. By understanding what happened, organizations, in theory, can better secure their computers and networks from future data breaches.

The Ponemon study used the following definitions for data breach types:

"... we define a non-malicious breach as a system error, employee negligence or third-party snafu and a malicious breach is defined as one involving the theft of information assets by a criminal insider or [external hacker]..."

I found the results fascinating for several reasons. In my personal experience, my former employer's breach included data tapes shipped via a third-party vendor which never arrived at the off-site storage facility. This affected my privacy along with that of both current and other former employees.

First, the global results from the Ponemon report:

• 54% of IT professional respondents said (e.g., Strongly Agree or Agree) that the severity of data breaches has increased during the past 24 months
• 52% of respondents said (e.g., Strongly Agree or Agree) that the frequency of data breaches has increased during the past 24 months
• Only 44% of respondents said that their organization has the tools, personnel, and funding to quickly detect data breaches
• Only 43% of respondents said that their organization has the tools, personnel, and funding to prevent data breaches
• While 63% of respondents said that understanding the root causes of data breaches has increased data security in their organization, but only 40% said they have the tools, personnel, and funding to determine the root causes of data breaches
• On average, it took organizations 49 days to detect non-malicious data breaches, and 80 days -- almost 3 months -- to detect malicious breaches. For resolution, it took 83 and 123 days, respectively.
• Only 39% of respondents that experienced a malicious breach said that they were confident (e.g., Very Confident and Confident) that their organization determined the root cause of the breach

This is not good. It takes a long time to detect breaches, if at all, and a long time to fix them. The most frequent types of data breaches experienced during the past 24 months:

• 47% - Employee or contractor negligence
• 32% - System error or malfunctions
• 24% - External attacks
• 23% - Third party mistakes or negligence
• 14% - Malicious insiders

Where the data breach occurred within the organization varies:

Breach Location	Malicious Breaches	Non-Malicious Breaches
Within business unit	15%	27%
During transit or transmission to a third-party location	6%	22%
Off-site	30%	20%
Off-site data center	12%	12%
On-site data center	9%	9%
Unable to determine	28%	9%

When the breach was discovered:

When Discovered	Malicious Breaches	Non-Malicious Breaches
Immediately	2%	20%
Within one week	19%	19%
Within one month	29%	28%
Within 3 months	24%	16%
Within 6 months	6%	4%
Within 1 year	4%	2%
Within 2 years	2%	1%
Unable to determine	15%	10%

So, an astounding 15% of the time organizations were never able to determine when malicious data breaches were detected. That's about one out of every six breaches. How malcious breaches were discovered:

• 28% - Forensic tools and methods
• 19% - Loss preventiona tool such as DLP
• 15% - Notification by law enforcement
• 10% - Automated monitoring
• 9% - Accidental discovery
• 6% - Audit or assessment
• 3% - Legal filing or complaint
• 3% - Manual monitoring
• 3% - Notification by partner or third-party
• 3% - Consumer or customer complaint
• 3% - Unsure
• 1% - Other

Second, some country-specific results:

• 41% of survey respondents from the USA said (e.g., Strongly Agree and Agree) that their organization were ready with the tools, personnel, and funding to prevent data breaches. The average across all countries was about 44%. Organizations in Japan (56%) and Singapore (58%) led the way with prevention readiness.
• 42% of survey respondents from the USA said that their organization were ready with the tools, personnel, and funding to quickly detect data breaches. The average across all countries was about 44%. Again, organizations in Japan (55%) and Singapore (57%) led the way with detection readiness.
• 33% of survey respondents from the USA said that their organization's leaders view data security as a top priority. The average across all countries was about 37%. Again, organizations in Japan (51%) and Singapore (50%) led the way with senior management leadership.

The study included a survey of 3,529 Information Technology professionals in eight countries. 54% of survey participants report directly to the chief information officer (CIO) in their organization. Participants were selected from organizations that had at least one data breach during the past 24 months. The survey included organizations from both the public and private sectors.

Survey respondents by country:

• 659 - USA
• 566 - Japan
• 445 - Brazil
• 431 - United Kingdom
• 423 - Canada
• 395 - Australia
• 309 - Singapore
• 301 - United Arab Emirates
• 3,529 - Total

Third, survey respondents by industry:

• 18% - Financial Services
• 11% - Federal and central government
• 7% - Services
• 7% - Retail, Internet
• 6% - Professional services
• 5% - Industrial products and chemicals
• 4% - State, province and local government
• 4% - Communications
• 4% - Consumer products
• 4% - Entertainment and media
• 4% - Hospitality
• 3% - Defense contractor
• 3% - Retail, conventional
• 3% - Technology and software
• 2% - Energy and utilities
• 2% - Education and research
• 2% - Healthcare and medical devices
• 2% - Pharmaceuticals and biotech
• 1% Transportation
• 1% - Other
• 100% - Total

What is a consumer to take from the results in this report? As I see it:

1. Data breaches will continue to happen. The bad guys also read reports like this, and determine where the soft or easy targets are.
2. There is an opportunity for companies and senior executives in the USA to do much better and take a leadership role. Will they?
3. Outsourcing matters, since about 48% of malicious breaches happened off-site or during transit/transmission with a third party contractor or partner
4. Despite what senior-level executives say in speeches and press releases about valuing data security, the survey suggests otherwise. Many organizations don't have the necessary tools, personnel, and funding.
5. Despite what senior-level executives say in breach notification letters after a data breach, they often don't know what happened and won't for a long while, if they ever do. Too many never determine when and what happened.
6. Informed consumers realize the reality is that you have to protect your sensitive personal data. Don't rely on a employer or former employer to do it.
7. All of this applies to mobile app developers, app stores, online retailers, and related Internet companies since the study included those industries, too.

Access the complete "Post Breach Boom" Ponemon report here.

Microsoft Survey For Data Privacy Day 2013. What Internet Users Do To Protect Their Privacy

Today is Data Privacy Day, with celebrations in North America and Europe. To support this event, Microsoft released last week the results of a survey of Internet users about what consumers do to protect their privacy. I found some very interesting results:

• 45% of respondents said they have little or no control over the personal information companies collect about them while browsing the Web.
• 54% of respondents said they sometimes consider a company's privacy reputation, track record or policies when selecting which websites to visit.
• 32% of respondents said they always consider a company’s privacy reputation, track record and policies when selecting which websites to visit
• 24% of respondents said that they had little or not control over the personal information they share online
• Regarding website privacy, 39% said they consult a family member or friend about a website, 39% check a company's website privacy policy, 29% check the company's privacy policy, 21% check an industry or consumer organization, and 15% do nothing. More men do nothing (17%) than women (12%).
• The sources of privacy information respondents trust most are friends and family (33%), industry or consumers organizations (25%, a website's privacy statement (22%), a company's privacy statement (20%), government agencies (15%), and news media (10%). Younger adults are more likely to trust government agencies, while older adults are least likely (5%) to trust news sites.

In a blog post, Brendon Lynch, Microsoft's Chief Privacy Officer, said:

"... customers want and expect strong privacy protections to be built into our products, devices and services, and for companies to be responsible stewards of consumers’ data... People also need more information about their privacy options and help controlling their personal information online."

I agree with that. Consumers want and need more control over their sensitive personal information.

The survey included interviews of 1,015 adults aged 18 or older. The survey was conducted during November 2012 by Microsoft and Ipsos MediaCT. Some descriptive facts about the survey respondents:

• 51% were female
• Ages: 18 to 34 (31%), 35 to 54 (37%), and 55 or older (32%)
• Household income: below $50K (42%), and $50K or higher (58%)
• Education: high school or less (32%), some college (35%), college graduate (20%), and post graduate (13%)
• Employment: full-time (39%), part-time (11%), retired (17%), unemployed (11%), homemaker (9%), student (6%), and other (10%)

Study: 30 Percent Of Teen Girls Meet In Person Strangers They Met Online

This is a startling and terrifying statistic. Parents: what is your teenage daughter doing online? WFMJ reported the results of a recent pediatric study:

"... the study tracked online and offline activity among more than 250 girls aged 14 to 17 years and found that 30 percent followed online acquaintance with in-person contact..."

The study, funded by a grant from the National Institutes of Health (NIH), included a mix of girls with and without a history of risky behavior. The study's author is Jennie Noll, a professor of pediatrics at the University of Cincinnati. The NIH is part of the U.S. Department of Health and Human Services (DHHS).

I recommend that parents read the WFMJ article, since it includes additional information. Reportedly, the study appeared in the Journal of Pediatrics. I wished that the study had included younger girls, since many social networking sites allow youth aged 13 and older to register.

Unclear About Data Brokers But Wanting Control And More Disclosure

While the U.S. Senate probes data brokers and consumer privacy issues, a recent study by Trusted ID provides some insights into how consumers view data brokers:

• 80% of respondents do not have a good understanding of what a data broker is, what they collect and how they use information
• About 80% of respondents state that it is important to control their data collected and archived by data brokers
• 76% of consumers feel that it is important to be notified about information that data brokers collect
• 80% of respondents want a centralized website to manage their information that is collected and archived by data Brokers

The survey was conducted online between August 23 and September 5, 2012, with a national sample of 2,960 Americans.

Earlier this year, the data broker Spokeo paid $800,000 to settle charges by the U.S. Federal Trade Commission (FTC) that it allegedly violated the Fair Credit Reporting Act by operating as a credit reporting agency and by maketing consumers' profiles to companies in several industries without implementing methods to protect consumers as required by the FCRA. The complaint (Adobe PDF) filed by the FTC, in June 2012 in the Central District Court in California, read in part:

"Spokeo assembles consumer information from 'hundreds of online and offline sources,' such as social networking sites, data brokers, and other sources to create consumer... In its marketing and advertising, [Spokeo] has promoted the use of its profiles as a factor in deciding whether to interview a job candidate or whether to hire a candidate after a job interview. Spokeo purchased thousands of online advertising keywords including terms targeting employment background checks, applicant screening, and recruiting. Spokeo ran online advertisements with taglines to attract recruiters and encourage HR professionals to use Spokeo to obtain information about job candidates' online activities. Spokeo has affirmatively targeted companies operating in the human resources, background screening, and recruiting industries... Spokeo profiles are consumer reports because they bear on a consumer's character, general reputation, personal characteristics, or mode of living and/or other attributes listed in section 603( d), and are "used or expected to be used... in whole or in part" as a factor in determining the consumer's eligibility for employment or other purposes specified in section 604."

Consumers can conclude a couple things from this. First, sloppy data practices by data brokers can abuse consumers' information. Second, what you share online in social networking sites can affect whether or not you get a job, or even get an interview. In the rush to make money and create new revenue streams, social networking sites now use your information in ways you didn't originally intend. The I've Been Mugged blog first reviewed Spokeo in 2010.

Download the Trusted ID survey results in the, "Consumer Perspectives - Data Brokers In Review" report (Adobe PDF).

National Protect Your Identity Week 2012

Not sure what you can do to protect your sensitive personal information? October 20 - 27, 2012 is "National Protect Your Identity Week" (NPYIW).

The ProtectYourIDNow site contains a wealth of information for consumers, plus local events by state. I visited the website to see what's available this year. There are some interesting statistics about how consumers don't protect themselves nor their sensitive personal information:

"68 percent of people with public social media profiles shared their birthday information (with 45 percent sharing month, date and year); 63 percent shared their high school name; 18 percent shared their phone number; and 12 percent shared their pet's name-all are prime examples of personal information a company would use to verify your identity."

While it may feel nice to receive birthday congratulations from your "friends" on social networking websites, the fact is that your birth date is a sensitive and critical piece of personal information that data brokers (and identity thieves) use to distinguish between multiple people with the same name. Experts warn consumers to stop doing these seven things on Facebook and other social networking websites. Some other interesting statistics:

"Seven percent of Smartphone owners were victims of identity fraud... 32 percent of Smartphone owners do not update to a new operating system when it becomes available; 62 percent do not use a password on their home screen... 32 percent save login information on their mobile device... Young adults, aged 18-24, took the longest to detect identity theft - 132 days on average... the average cost ($1,156) was roughly five times more than the amount lost by other age groups... Children may be 51 times more likely than adults to have their identity stolen..."

The NPYIW website includes tips to protect yourself, informative videos, advice about what to do if you are a victim of identity theft and fraud, and an online quiz to test your knowledge about identity theft and fraud. Sponsors of NPYIW include the National Foundation for Credit Counseling, the National Sheriffs Association, the National Association of Triads, the Consumer Federation of America, the Council Of Better Business Bureaus, the U.S. Federal Trade Commission (FTC), the Identity Theft Resource Center, the National Crime Prevention Council, the Credit Union National Association, and many others.

Did you attend a NPYIW event? If so, share your experience below.

Study: Small And Medium Sized Businesses Face Growing Data Security Threats

According to a new report by Osterman Research, and sponsored by Trend Micro, while cloud and mobile device usage have increased within small and medium sized businesses, so too has malware and data security threats. The survey found that about 52.1% of devices (e.g., desktop computers, laptops, tablets, smartphones) used by employees were infected annually with malware. In any given month, about 4.3% of devices were infected.

The report found that the malware has become more serious, with more versions, a short life, had target specific mobile devices (e.g., devices running the Android operating system) ,and had targeted businesses in specific countries that perform online banking.

The researchers found the costs to businesses were substantial. Information technology (I.T.) departments spent on average 72 minutes per device to remove the malware and fix the infected computer. The direct I.T. staff cost was about $2,400 per device per year. And, those costs don't include the lost employee productivity.

The data breaches from this malware can lead to theft of money, trade secrets, or the sensitive personal information of employees, former employees, and contractors. Criminals try to infect employees' devices with keystroke-logging malware to steal online bank account passwords. The report listed some of the company data breaches where businesses were robbed in this manner:

• Western Beaver County School District: $700,000
• The Catholic Diocese of Des Moines: $600,000
• Hillary Machinery: $800,000 (its bank was able to recover only $600,000)
• Patco: $588,000
• Experi-Metal, Inc.: $560,000
• Village View Escrow: $465,000
• An unidentified construction company in California: $447,000
• Choice Escrow: $440,000
• An unidentified solid waste management company in New York: $150,000
• An unidentified law firm in South Carolina: $78,421

So, if you work in a small or medium sized business that performs online banking, you can assume that identity thieves and criminals have targeted your employer and, most likely, your mobile device.

Survey: How Mobile Device Users Protect Their Privacy With Mobile Apps

A recent survey by the Pew Research Center investigated how mobile device users manage their privacy. The survey included both cell phone users and smart phone users. Key findings:

"54% of app users have decided to not install a cell phone app when they discovered how much personal information they would need to share in order to use it; 30% of app users have uninstalled an app that was already on their cell phone because they learned it was collecting personal information that they didn’t wish to share. Taken together, 57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons."

It is good to read that consumers are not blindly downloading and using mobile device apps, since prior studies have documented sporadic and inconsistent access to privacy policies for mobile apps. After pressure from the California Attorney General, several companies (e.g., Amazon.com, Apple, Google, hewlett-packard, Microsoft, and Research In Motion) that operate mobile app stores agreed to improve app privacy policies disclosing the personal data collected, stored, and shared. Earlier this month, researchers at M.I.T. documented privacy abuses by mobile apps that tracked consumers without notice nor consent. And, the U.S. Federal Trade Commission published guidelines for businesses that develop and market mobile device apps.

The Pew survey found that almost one-third, 31% of all smart phone users surveyed, have lost their device or had it stolen. Among users 18 to 24 years of age, about 45% had either lost their device or had it stolen. The survey authors concluded:

"Smartphone owners are generally more active in managing their mobile data, but also experience greater exposure to privacy intrusions"

The table below highlights this conclusion:

Activity	Smart Phone Users	Cell Phone Users
Back up phone contents	59%	21%
Cleared browsing or search history	50%	14%
Turned off location tracking	30%	7%
Experienced lost or stolen device	33%	29%
Somebody accessed device in a way that felt like a privacy intrustion	15%	8%

Pew conducted the nationwide survey, in both English and Spanish, of 2,254 adults (age 18 and older) during March 15 to April 3, 2012. Download the Pew report: "Privacy and Data management on Mobile Devices."

The Risks Of Buying Drugs Online

Everyone loves a good deal. And the Internet provides several sources of deals and discounts. If you seek deals on prescription drugs, there are several things you should know so you don't get "mugged" by a rogue online pharmacy website.

Earlier this year, the National Association of Boards of Pharmacy (NABP), which accredits online drugstores, released the results of a study where it reviewed more than 9,600 online pharmacies. Key results:

• Most are rogues sites: 96.6% (or 9.349 of 9,677 online pharmacies reviewed) operated out of compliance with existing laws and standards
• Only 2.7% (259 online pharmacies) to be legitimate websites, and 0.7% (69 sites) were accredited through an NABP verification program
• Of these 9,349 online pharmacies, 8,122 don't require a valid physician's prescription
• 4,648 offer foreign or drugs not approved the U.S. FDA
• 3,363 have internet servers outside the USA
• 1,523 don't have secure web sites

The problem is intensified by drugs that are in short supply. Fraudsters know this and try to take advantage of the situation:

"The most critical shortages involve cancer, antibiotic, nutrition, and electrolyte-imbalance medicines, according to the FDA. For many community pharmacies, health-system pharmacies, and patients the lack of availability of needed -- and often life-saving -- medications through official, authorized supply channels means resorting to unconventional and more dangerous means of obtaining the medications, sometimes turning to unknown sellers online. The unfulfilled demand for these medications has created a lucrative market for counterfeiters..."

The results: several risks to consumers. One risk is that you may not get what you paid for:

"... health care facilities and patients have no assurance that the substances they receive are what they are purported to be. Many of the replacement drugs purchased online are unregulated, meaning there are no safeguards in place to ensure their identity, safety, efficacy, where and under what conditions they were made, or how they were handled."

A second risk is to your health. Counterfeit drugs can fail to address your medical conditions, make you sicker, or kill you:

"... two-thirds of the online drug sellers discovered in this study are represented on the NABP list of Not Recommended sites. These illegal online drug sellers pose serious risks to patient health. The risk is especially high with vaccines..."

A third risk is identity theft or fraud at those online pharmacies that operate unsecured sites.

Earlier this year, the U.S. Congress House Committee on Oversight and Government Reform investigated "gray market" companies, that operate outside of authorized drug distribution networks to provide short-supply drugs at hugely inflated prices. In July 2012, the committee released its report (Adobe PDF), which found:

"... a growing number of prescription drugs sold in the United States have experienced supply shortages. Because these shortages have been most severe among a group of injectable drugs used to treat patients with cancer and other serious illnesses, they have had a particularly serious impact on hospitals... During drug shortages, hospitals are sometimes unable to buy drugs from their normal trading partners, usually one of the three large national “primary” distributors... some short-supply injectable drugs do not reach health care providers through the manufacturer-wholesaler distributor-dispenser chain that policymakers and industry stakeholders present as the typical model for drug distribution. Instead, these drugs “leak” into longer gray market distribution networks, in which a number of different companies – some doing business as pharmacies and some as distributors – buy and resell the drugs to each other before one of them finally sells the drugs to a hospital or other health care facility. In more than two-thirds (69%) of the 300 drug distribution chains reviewed in this investigation, prescription drugs leaked into the gray market through pharmacies. Instead of dispensing the drugs in accordance with their professional duties, state laws, and the expectations of their trading partners, these pharmacies re-sold the drugs to gray market wholesalers..."

The investigation also found:

"... a number of businesses holding pharmacy licenses that do not dispense drugs, but instead appear to operate for the sole purpose of acquiring short-supply drugs that can be sold into the gray market.... Some gray market wholesalers gain access to shortage drugs by recruiting pharmacies to act as their purchasing agents..."

The impact is far higher drug prices than otherwise for health care facilities, hospitals, and consumers.

The NABP operates several online pharmacy accreditation programs, including the Verified Internet Pharmacy Practice Sites (VIPPS), the Veterinary-Verified Internet Pharmacy Practices Sites (Vet-VIPPS), and the e-Advertiser Approval Program. The NABP has appllied to the Internet Corporation For Assigned Names and Numbers (ICANN) for a specific domain-name to help consumers recognize accredited online pharmacies.

To protect yourself online, experts advise consumers to:

1. Buy drugs online from reputable stores you already know
2. Look for NABP VIPPS and Vet-VIPPS symbols when shopping
3. Visit AwareRX.org, which maintains lists of both NABP-recommended and not-recommended online pharmacy websites
4. Visit SafeMedicines.org operated by the Center for Safe Internet Pharmacies (CSIP), which contains a tool for patients to check if doctors in their state purchased counterfeit cancer medications
5. Watch this public service announcement produced by the CISP:

Download the full NABP report: "Internet Drug Outlet Identification Program Progress Report for State and Federal Regulators: April 2012" (Adobe PDF).

How To Evaluate Prepaid Card Options

Perhaps, you have already noticed. Banks now offer a variety of prepaid cards. They are popular to. According to a 2012 report by CardHub.com:

"Consumers loaded $57 billion onto prepaid cards in 2011, a nearly 33% increase from 2010, and that number is expected to rise by 44% to $82 billion in 2012, according to the Mercator Advisory Group. By 2013, the group predicts consumers will load $117 billion onto prepaid cards, which would mark a 200% usage increase in just three years."

With so many prepaid card options, how can a consumer pick the best card? It all depends upon your financial situation. Of course, if you have the money, opening traditional checking and savings accounts at a bank or credit union is probably the best route. There are several articles in this blog to help you decide if moving your money to a prepaid card is a wise choice.

If you are determined to use a prepaid card instead, the best card for you probably depends upon your specific financial situation: how often you are paid, how much you are paid, the format of your pay, your spending and shopping patterns, and if you perform online banking.

In its 2012 report about prepaid cards, CardHub.com presented three scenarios to help consumers evaluate and find the best prepaid card. The three scenarios:

• Scenario 1:a person paid $2,000.00 monthly, whose employer offers direct deposit, visits an ATM once per week, expects to makes five purchases per week with their prepaid card, and pays two bills per month by check.
• Scenario 2: a person gives their teenager a $100.00 monthly allowance. The teenager visits an ATM twice per month and expects to makes two purchases per week with the prepaid card each week. In this scenario, money is loaded onto the prepaid card from the parent's bank or PayPal account.
• Scenario 3: a person paid weekly and earns $1,600.00 monthly, does not have the direct deposit option, and expects to make three purchases per week with the prepaid card. In this scenario, the person must load money to their prepaid card and make ATM withdrawals each week.

Of course, you can pick the scenario that matches or is closest to your financial situation. It might be that none of these scenarios adequately describe your financial situation. Maybe you have more children, earn a vastly different amount, or shop more often (e.g., groceries, lunches while at work).

Of course, you have the option to give your teenage child an allowance in cash and let him or her learn by deciding whether or not to transfer their cash to a prepaid card. Regardless, if is important for both parents and youth to learn the differences between credit cards, debit cards, and prepaid cards. Banks can charge a variety of fees on prepaid cards. Some employers offer banking services, pay their employees via prepaid cards, and administer health care spending accounts via prepaid cards.

In its 2012 report about prepaid card, CardHub.com listed the monthly costs for various banks' prepaid cards for the above three scenarios, and which prepaid cards are not suitable. Some of the monthly costs exceed $26.00, which is a lot ot pay for any banking option. So, it is wise to shop around and do your homework first. Know your pay and spending patters, then compare prepaid cards based on your banking habits.

Whatever you decide, it is wise to revisit your decision after a few months to see if your banking habits changed. A change in pay, ATM withdrawals, out-of-network ATM withdrawlas, and/or spending may make a prior decision no longer best for you:

"... every card has different fees based on the specific usage of each card. How often a person uses an ATM and how much money they load onto the card each month are the most important drivers in the cost of each card..."

If you use a prepaid card, what do you use it for. And what factors influenced your prepaid card choice?

Survey: 11% Of Banking Customers Ready To Switch To Another Bank

According to a recent surevy of about 5,000 banking customers, about 11% are ready to switch to another bank. That represents about $675 billion in assets, according to a March 2012 survey by Javelin Strategy & Research. Key findings:

"Citibank and Bank of America are the most vulnerable giant banks by far, with as many as one in four customers at risk of switching... although Americans were riled about banking fees, the didn't switch their primary [bank] in greater numbers. The reason: Convenience trumps fees... built on a foundation of big branch systems, broad ATM networks, convenient online banking, and... mobile banking..."

The leading reasons why consumers switch banks:

• 33% - Too many fees
• 21% - unsatisfactory customer service
• 15% - more convenient location
• 12% - moved their residence

Download the summary (Adobe PDF) of the "Bank Switching in 2012" Javelin report. Related articles:

• Bank Of America To Settle Class-Action Lawsuit With Overdraft Fee Rebate Program
• Bank of America Merchant Services And Money Network Announce New Payroll Solution
• Is It Wise To Move Your Money To A Prepaid Card?
• Citigroup Increases Number of Breach Victims To 360 Thousand

Survey Documents Sporadic Access To Privacy Policies By Mobile Device Apps

The Future of Privacy Forum (FPF) recently released the results of its June 2012 survey of mobile device apps and privacy. The survey goal was to understand how often apps provide users with a privacy policy. While a privacy policy is a minimal first step towards data security, it provides both a baseline for consumers to judge the app's operation, and informs users about what sensitive personal data the app uses, and where that data is shared. An industry problem is that too many mobile apps for children still lack privacy policies.

The FPF examined 150 of the most popular mobile apps across three platforms: iOs App Store, Google Play,9 and Kindle. Key findings from the survey:

• 61.3% of all apps examined presented users with a privacy policy. That total included 69.3% of free apps and 53.3% of paid apps.
• The apps examined included many well-known apps: Angry Birds, ESPN Score Center, Facebook, Google Earth, Google Search, Instagram, Netflix, Shazam, Skype, Style Me Girl, Twitter, Virtual Makeover, The Weather Channel, Yahoo! Mail, and more.
• The availability of privacy policies vary greatly by app store and app type:

% of Top Apps That Have A Privacy Policy*
	Free Apps	Paid Apps
iOS App Store	84%	64%
Android - Google Play	76%	48%
Kindle Fire - Kindle App Store	48%	48%
All Platforms	69.3%	53.3%
*Privacy policy either in the app listing page, in the app, or in the developer's website

Ideally, apps should provide immediate and easy access to their privacy policies from the app listing page within the app store. Unfortunately, this access varies greatly:

% of Top Apps That Provide Access To A Privacy Policy On The App Listing Page In The App Store
	Free Apps	Paid Apps
iOS App Store	48%	28%
Android - Google Play	20%	12%
Kindle Fire - Kindle App Store	0%	0%
All Platforms	22.7%	13.3%

Ideally, apps should provide immediate and easy access to their privacy policy from within the app, too. Performance here is somewhat better:

% of Top Apps That Provide Access To A Privacy Policy From Within The App
	Free Apps	Paid Apps
iOS App Store	60%	44%
Android - Google Play	64%	24%
Kindle Fire - Kindle App Store	20%	28%
All Platforms	48%	32%

The other measure of privacy is whether apps collect location-based data (e.g., GPS) and provide users with an opt-in choice before data collection. The researchers found:

"... 12 out of the 50 apps surveyed on the iOS App Store platform requested precise location information and 14 out of the 50 apps surveyed on the Google Play platform requested precise location information and ten out of those fourteen had privacy policies. The study revealed that almost all of the leading apps requesting precise location data did have a privacy policy in place, but found that some very well known apps did not."

Based in Washington, DC, the Future of Privacy Forum (FPF) is a think tank that seeks to advance responsible data practices. The FPF hosts the ApplicationPrivacy.org website that provides best practices for data security for mobile app developers.

The FPF survey is a good first step. Consumers should be warned that the FPF survey did not evaluate whether developers' mobile apps actually complied with the promises in their privacy policies. That is an important issue to be addressed -- often in the courts, or by diligent technologists.

In June, California Attorney General Kamala Harris announced a deal with Facebook.com to ensure that any apps that collect personal data from California residents have privacy policies. Earlier in the year, several app store operators (e.g., Apple Inc., Google Inc., Amazon.com Inc., Microsoft Corporation, RIM Ltd., and Hewlett-Packard) agreed to a similar arrangement with the California AG. This makes one wonder where the other states' attorney general are on this issue.

Since security experts have documented multiple threats that target Apple and Android mobile devices, wise consumers look for trustworthy apps and protections in privacy policies. What do you look for in a mobile app privacy policy?

Consumers Pay With Methods Other Than Cash

Some statistics about consumers use of cash versus other payment methods:

"Last year 27 percent of all point-of-sale purchases were made with cash and that number is expected to drop to 23 percent by 2017... plastic cards purchases comprised 66 percent of all in-person sales, with nearly half of them, or 31 percent, made with debit cards, according to Javelin. Last year shoppers used credit cards for 29 percent of point-of-sale purchases; Javelin expects that number to rise to 33 percent by 2017. Shoppers deployed gift cards and prepaid cards for 6 percent of purchases made with plastic last year. A mere 7 percent of transactions involved use of a paper check..."

The Huffington Post article also mentioned a few retail stores than no longer accept cash.

Why Cyber Criminals Attack: For The Money

Last week, the Ponemon Institute and Check Point Software Technologies released the results of a joint survey, "The Impact of Cybercrime on Business" (Adobe PDF), conducted to better understand the nature of online attacks which businesses of all sizes face. The survey included executives from companies in several countries. Key survey findings:

• Companies experience an average of 66 cyber attacks per year
• Mobile devices (e.g., smart phones and tablets) present an increased breach risk
• Cyber crime is expensive, costing companies on average
• Criminals attack for the money

Almost all survey participants said:

"... the primary goal for cybercriminals is financial fraud and/or access to the company’s financial records. In the U.S. and UK, financial gain is followed by theft of customer data. Approximately five percent of security attacks are motivated by political or ideological agendas."

So, identity thieves and cyber criminals attack employers to steal money: the employer's and/or yours. And, the criminals will attempt to use your mobile devices to gain access to employer's networks:

"... Hong Kong and Brazil report on average the highest percentage of mobile devices infected an act of cyber crime... the lowest average of infected mobile devices and machines connected to the network at 11 percent in the U.S. and nine percent in Germany."

The Ponemon/Check Point survey included more than 2,600 experienced business leaders and IT security practitioners from commpanies located in the United States, United Kingdom, Germany, Hong Kong and Brazil.A similar study by Symantec found that 50% of cyber attacks focused on businesses with fewer than 2,500 employees, and targeted mobile device and social networking users.

The Ponemon Institute helps both public sector and privbate sectors by performing independent research on privacy, data security, and information protection. Check Point Software Technologies provides organizations with a veriety of solutions to secure online networks and data.

Statistics: How You And Your Friends Use Social Networking Sites

A few social networking statistics reported recently by Consumer Reports:

• 28% of users share their Facebook posts with an audience beyond only their friends. This means that about 1 of every 4 of your friends have not adjusted the privacy settings on their Facebook accounts.
• 11% of households using Facebook said that they had privacy or data security problems last year (e.g., someone used their log-in without permission, harassed, etc.).
• 37% of Facebook users said that they have modified their privacy settings to customize or limit how much personal information Facebook apps are allow to access.
• 25% of Facebook users said that they have entered fake information in their online profiles to protect their identity.
• Facebook alreadys stores about 60 billion photographs, and that total grows daily by 250 million
• 69% of employers' human-resource officers have rejected job applicants based on what they found during reviews of candidates' profiles at social networking sites
• About 25% of college admissions officers check applicants' social networking profiles. 12% of those officers reported finding posts last year that hurt applicants' admission chances

To learn more, see the module in the near right column titled, "Using Facebook Safely."

Consumer Reports Reviews Facebook And How To Use It Safely

If you haven't read it, there is a good review by Consumer Reports of the Facebook social networking website. The news media has focused on some of the controversial aspects of the report. For example, CNN reported, like many other news organizations, the survey finding that about 25 percent of Facebook users lie about information in their Facebook profile to protect their identity.

While lying about profile information may seem like an effective privacy strategy, the Consumer Report review of Facebook highlights the various ways Facebook tracks its members. Some Facebook members have made conscious choices to share personal data, and do so in status messages, sharing items, and commenting upon others' status messages. Yet other tracking methods exist.

The Consumer Reports review is a good reminder that its members are the products:

"... the company uses your data to help advertisers deliver ads that you may find useful. Suppose, for example, that you have “liked” the San Francisco 49ers page, or simply posted comments about football. You shouldn’t be surprised to see ads in the margins for football tickets, fan paraphernalia, and the like. Facebook does not share any of your information with advertisers that buy those ads unless you give permission. If you click the ad and purchase something, the advertiser obviously learns who you are. And even if you simply “like” a brand page, the company can automatically send posts to your account."

One tracking method is the facial-recognition software used to "tag" (e.g., identify) people (and places) in both photos and videos. Members who aren't careful to turn off the geo-tagging feature in their smart phones or tablets will provide even more personal data with photos and videos uploaded to Facebook.

Another method are the Facebook apps member use for music, news, and games -- which are loosely managed by Facebook:

"... according to Kevin Johnson, security consultant at Florida-based Secure Ideas, who has developed apps and tests their security. The sole credential needed to create an app is a verified Facebook account, including a cell phone number or credit card. And the company doesn’t have to review your source code (programming instructions) before it goes live..."

So, there seems to be little to no verification of apps for security or compliance when those apps have a privacy policy.

A method Facebook uses to track both members and non-members includes those "Like" buttons you have see on websites across the Internet:

"... Facebook keeps track of the other websites [its members] visit. That happens via the “Like,” “Recommendations,” and similar buttons that so many sites include. In addition to reporting your presence, the “Like” button sends along the date and time of your visit and your IP address, whether or not you click on it. The company has acknowledged that this happens even when Facebook users are logged out, a practice that had prompted class-action lawsuits in the U.S. If you’re logged in to Facebook, it can collect even more data. The company also said that it collects data from people who are not its users and have never visited its site..."

The review is also a good reminder of the scope of data Facebook collects:

"... thanks in large part to Max Schrems, a 24-year-old Austrian law student who managed to get a fuller copy of his personal information last year from Facebook's Dublin office, which oversees relations with users outside the U.S. and Canada. Schrems was surprised to discover, among the 1,222 pages of data covering three years of Facebook activity, not only deleted wall posts and messages, some with sensitive personal information, but e-mail addresses he’d deleted and names he’d removed from his friends list... Facebook collects the same type of detailed information on American users, as confirmed by documents it released to Boston police during their investigation of Philip Markoff..."

If you want to learn more about Schrems, visit Europe Versus Facebook. The review ends with a list of nine ways consumers can use Facebook (and similar social networking sites) safely:

"1. Think before you type. Even if you delete an account (which takes Facebook about a month), some info can remain in Facebook’s computers for up to 90 days.

3. Protect basic information. Set the audience for profile items, such as your town or employer. And remember: Sharing info with “friends of friends” could expose it to tens of thousands.

4. Know what you can’t protect. Your name and profile picture are public. To protect your identity, don’t use a photo, or use one that doesn’t show your face.

5. “UnPublic” your wall. Set the audience for all previous wall posts to just friends.

7. Block apps and sites that snoop. Unless you intercede, friends can share personal information about you with apps. To block that, use controls to limit the info apps can see."

Read the complete review of Facebook.com by Consumer Reports.

Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

• During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (http://cve.mitre.org/); followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
• During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

“Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

1. Be ready to give out some personal information.
2. Know that a third-party will gain access to your personal information.
3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).

FTC Survey: The Good And Bad Experiences Of Identity-Theft Victims With Consumer Reporting Agencies

The U.S. Federal Trade Commission (FTC) released the results of its survey of consumers who had reported to the FTC that they were identity-theft victims. The survey assesses consumers experiences with recovering from identity theft and contacting the national consumer reporting agencies (CRAs). The survey also assesses how consumers exercise their rights under the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA - 2003).

Overall findings:

• 68% of survey respondents were somewhat or very satisfied with their overall experiences with the national consumer reporting agencies (e.g., Equifax, Experian, and TransUnion), but many consumers said it was difficult to reach a live person.
• Less than half of the respondents were aware of most of their rights under FACTA before they contacted the consumer reporting agencies.
• Few consumers exercise their right to block selected information in their credit reports from identity theft and fraud, since most consumers (78%) don't know about this right
• Some respondents complained about feeling pressured to buy additional identity theft monitoring products when they called the consumer reporting agencies.

FACTA gave consumers the right to:

• Pace Fraud Alerts on their credit file with the nationwide CRAs,
• Request a free credit report from each of the three national CRAs when placing a fraud alert,
• Block fraudulent information from appearing in their credit reports,
• Receive a notice of these and other rights from the CRAs

When placing a fraud alert, consumer only need to contact one of the three national CRAs. After successfully placing a Fraud Alert on their credit file with one CRA, most of the time the other two CRAs will automatically add Fraud Alerts to the consumer's file on their systems. When requesting a Fraud Alert, consumers can also request a free copy of their credit report. Survey results about Fraud Alert and free credit report requests:

• 44% of survey respondents were not aware before contacting a CRA of their right to place a Fraud Alert on their credit file. Despite this, 85% of respondents ultimately requested a Fraud Alert on their file.
• When requesting a Fraud Alert, 58% of survey respondents reported that all three national CRAs placed alerts when requested. 36% of respondents were unsure what happened, and 6% reported that at least one CRA didn't place a Fraud Alert.
• 44% of respondents who requested a Fraud Alert said they were very satisfied with the process, 32% said they were somewhat satisfied, and 17% said there were either somewhat or very dissatisfied with the process.
• Most survey respondents (56%) requested their free credit report (when placing a Fraud Alert) by telephone, compared to the website (33%), and postal mail form (14%).
• Most (51%) said that they received their free credit report from all CRAs they contacted, while 33% stated that they received it from only some of the CRAs they contacted. 11% said that they did not receive any credit reports.
• 43% of respondents said that they were very satisfied with the process of requesting free credit reports after placing a fraud alert. 32% said that they were somewhat satisfied. 22% said that they were either somewhat or very dissatisfied.

Errors occur in credit reports, either from identity fraud or from honest mistakes by the CRA or lender. Consumers can dispute this erroneous data and demand that it be removed or corrected. Survey results about credit report accuracy:

• Most survey respondents (60%) were aware before contacting a CRA that they had the right to challenge the accuracy of information on their credit report.
• 36% of respondents who contacted a CRA disputed the accuracy of information on their credit report in connection with the identity theft that led to the contact. Of those who disputed information, 72% filed disputes with a CRA and while 46% contacted the creditor that provided the information to the CRA.
• The types of credit report information disputed: 47% challenged identification and employment (47%), payments (48%) about a specific debt, and unauthorized lenders who obtained their credit report (40%).
• Of survey respondents who disputed information in their credit reports, 52% said that the information was corrected or removed, 22% said that the information was not corrected, and 18% said that they were not sure what happened.
• Of survey respondents who had information corrected by the CRA, 42% said that the error was corrected after a single contact. 27% said the error was corrected after two contacts. 24% said the correction required three to five contacts, and 4% said they contacted the CRA six or more times.
• Of survey respondents who disputed information in their credit reports, most (57%) said that they were either very or somewhat satisfied with the process. 17% said that they were somewhat dissatisfied, and 21% said that they were very dissatisfied.

Consumers can block certain information within their credit reports that resulted from identity theft and fraud. Blocks are different from disputes. CRAs must respond within four (4) days after receiving a valid request to block certain data in a credit report. Survey results about blocking fraudulent information:

• Of survey respondents who contacted a credit reporting agency, 78% were not aware of the right to block information in the credit file. Few survey respondents (21%) exercised this right to block the reporting of information resulting from identity theft.
• Of those who requested that information be blocked, 46% said that all CRAs blocked the information. 18% said that some of the CRAs blocked the information, and 9% said that none of the agencies blocked the information.

The FTC concluded in its report (bold emphasis added):

"Despite the 68% general satisfaction rate with the CRAs, the survey reveals three areas where respondents faced difficulties in exercising their FACTA rights. First, one prominent complaint was the difficulty in reaching a representative at a CRA with whom to speak about identity theft. Many respondents said that it was difficult or impossible to move past the automated response system... Second, the survey results suggest that a relatively small number of identity theft victims are aware of their FACTA rights. Less than half of the respondents were aware of most of their rights prior to contacting the CRAs. Even for the most well-understood right – disputing inaccurate information – only 60% of respondents who contacted a CRA were aware of this right prior to contacting the CRA... Third, both the survey respondents and the focus groups raised concerns about the CRAs using consumer contacts about identity theft as an opportunity to sell identity theft protection products. Several respondents and focus group participants complained that they felt pressured to buy one or more products and that, in some cases, they received services that they did not want or need."

The FTC sent survey invitations to about 3,000 consumers who had previously reported to the FTC hotline that they were identity-theft victims. The survey questions were based on six focus groups conducted in 2009. 634 consumers responded. The FTC maintains the anonymity of all survey respondents. Download the FTC, Using FACTA Remedies Report (Adobe PDF - 4.9 M Bytes), which is also available here.

Want to learn more? Suggested readings about credit and CRAs:

• Fraud Alert Renewal: Easy And Fast
• Placing a Freeze (Or Lock) On Your Credit Files
• Fraud Alert or Credit Freeze: What's The Difference?
• Are Fraud Alerts Useless?
• Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms (Part One)?
• Have You Heard About Credit Reports From Innovis?
• Directory Of Credit Reporting Agencies
• What It Means To Have An Unrequested Security Freeze On Your Credit Report
• A Primer On Credit Scores
• FTC Testifies Before Congress About Identity Theft And Fraud
• FTC Changes Disclosure Rules For Sites Offering "Free" Credit Reports
• FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

CFPB Reports List Of Consumer Complaints About Financial Products

In its annual report, the new Consumer Financial Protection Bureau (CFPB), a federal agency designed to ensure that financial products and services for consumers are beneficial for consumers, listed the leading complaints submitted by consumers. The CFPB accepts complaints about credit cards and mortgages.

The CFPB began operation on July 21, 2011. In its annual report (Adobe PDF) to the U.S. Congress, the CFPB reported that by December 31, 2011, it had received 13,210 complaints from consumers, including 9,307 credit card complaints and 2,326 mortgage complaints. 44% of all complaints were submitted through the CFPB website, and about 15% via telephone calls. The leading types of credit-card complaints received:

Leading Credit Card Complaints Reported By Consumers to CFPB. July 21 - Dec. 31, 2011	Number	Percent
1. Billing Disputes	1,278	13.7%
2. Identity Theft / Fraud / Embezzlement	1,014	10.9%
3. APR or Interest rate	950	10.2%
4. Other	854	9.2%
5. Closing / Cancelling Account	478	5.1%
6. Credit reporting	437	4.7%
7. Credit Card Payment / Debt Protection	383	4.1%
8. Collection Practices	378	4.1%
9. Late Fee	364	3.9%
10. Other Fee	334	3.6%
Total for Top 10 complaint types	6,470	65.9%

The types of mortgage complaints received:

Mortgage Complaints Reported By Consumers to CFPB. July 21 - Dec. 31, 2011	Number	Percent
1. Problems when you are unable to pay (Loan modification, collection, foreclosure)	889	38.2%
2. Other	540	23.2%
3. Making payments (Loan servicing, payments, escrow accounts)	501	21.5%
4. Applying for the loan (Application, originator, mortgage broker)	235	10.1%
5. Signing the agreement (Settlement process and costs)	96	4.1%
6. Receiving a credit offer (Credit decision/Underwriting)	65	2.8%
Total Mortgage Complaints	2,326	100.0%

The FTC advises consumers who experience identity theft or fraud with financial products to both submit a complaint to the CFPB and submit a complaint to the FTC.

I like the CFPB's mission and its website. The agency's consumer response mechanisms are still new and in their infancy. They will become more beneficial as the agency identifies and resolves problems. What is your opinion of the CFPB?

PHI Project Releases Report About Health Care Data Security

On Monday, the PHI Project released a report about the state of data security within health care organizations titled, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security." Key findings:

• Weak Data Security: health care organizations are entrusted with safeguarding patient privacy, but their security efforts are not keeping pace with the growing risks of lost/stolen protected health information (PHI),
• Data Breach Activity: the number and size of data breaches including PHI are increasing. The negative impacts are financial, legal, clinical, and reputational for the organizations experiencing data breaches,
• The PHI Project recommends that health care organizations implement a five-step method – PHI Value Estimator (PHIve) -- to evaluate the risks of a breach of PHI data, and implement preventative measures.

According to Rick Kam, president and co-founder of ID Experts and chair of the PHI Project:

“No organization can afford to ignore the potential consequences of a data breach... We assembled this working group to drive a meaningful dialogue on appropriate levels of investment to better protect healthcare organizations and PHI.”

The PHI Project is a partnership including the American National Standards Institute (ANSI) via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) -- with assistance from ID Experts.