Previous month:
August 2007
Next month:
October 2007

25 posts from September 2007

Which is Better: Debit or Credit Cards?

In the MSNBC Red Tape Chronicles blog, Bob Sullivan provides complete answers to this question. His answers cover two important points -- prevention and recovery -- related to fraud and identity theft:

"Fraud protection. Federal law affords credit card consumers better protection than debit card users. Credit users' obligation is capped at $50. Debit users can be on the hook for $500 if they don't report fraud within two days of learning about it and face unlimited liability if they wait more than 60 days. In practice, both debit and credit users generally enjoy zero liability guarantees from their banks, but those generous debit policies can be changed at any time. Consumer protection under the law is a safer bet."

And:

"Fraud recovery. Getting money back in the event of fraud is much easier for credit customers than for debit users. When a criminal uses your credit card, all you have to do is refuse to pay for the fraudulent purchases. When a debit card is stolen, the money disappears from your account, and the burden is on the consumer to call the bank and get that money replaced. Anyone who's ever logged online to see a zero balance or been denied cash at an ATM after an incident like this will tell you that is no small distinction."

And perhaps most importantly for consumers burned by data breaches at retailers like TJ Maxx:

"When there's a big data theft, such as in the TJ Maxx case, you'll really wish you used your credit card. Even though the criminals don't have your PIN, they can still perform signature-based debit transactions with your card and drain your account."

Me? I use my debit card only at my bank's ATM machines and grocery shopping. All other times, I use cash or occasionally a credit card. In restaurants with table service, I use cash because the waiter/waitress takes your credit card out of your eyesight.


Does Your Employer's Computer Liquidation Process Create Data Breaches?

Recently, a friend who is an IT (Information Technology) professional told me how much they enjoyed my prior post about How To Destroy a hard Drive in 5 Seconds. We agreed that identity theft and data security are huge problems. Then, my friend shared an unsolicited story about a data security incident at my friend's company. I am not disclosing any names. The point is not where this happened, but what happened and how many other companies have the same security issues.

Pat (not my friend's real name) shared this story... Pat's employer uses a computer liquidation service to liquidate (e.g., recycle, resell, or destroy) used computer equipment that's at the end of its useful life: laptops, desktops, servers, printers, and such. The computer liquidator erases any data on hard drives and liquidates the computer equipment. Pat's employer uses a separate shipping vendor to transport the computer equipment from their offices to the computer liquidator's location. This sounds simple enough.

Anyway, a security guard in the building where Pat works, pulled Pat aside one day to see a used laptop the guard had acquired. Pat looked at the laptop, powered it up, and quickly noticed that the laptop was equipment from Pat's company that should have been liquidated. The laptop contained both data and software, including LAN/intranet access software. The security guard explained that a driver from the shipping company gave the laptop as a gift in return for a favor.

Pat notified the IT management at Pat's employer. Management's solution to this data breach was to fire the shipping vendor and hire another vendor.

Wow!

It's stories like this one that reinforces my impression that many companies do not take data breaches seriously -- and do not do enough to protect the sensitive data they choose to archive, nor train their staff adequately.

I'm not a data security professional, but since I've started writing I've Been Mugged I've learned enough to spot several problems with how Pat's company mismanaged their data breach:

  1. There was no clear recognition that a data breach had occurred. The security guard had access to data on the laptop which the guard shouldn't have had access to -- the definition of a data breach
  2. Pat's company did not investigate the extent of the data breach. What other computer equipment had the shipping vendor already distributed as gifts prior to this event? What sensitive data did this equipment contain?
  3. Pat's company doesn't seem to demand any security or background checks of drivers for the shipping vendor.
  4. Why wasn't the laptop retrieved from the security guard?
  5. Pat's company doesn't seem to perform any validation or checks with the computer liquidator that the manifest of computer equipment sent was actually received and data was erased.

I wonder how many companies have the same faulty computer equipment liquidation process... data security holes, data breaches, and all. Thank God I don't work at Pat's employer.


More Analysis of TJX's Offer To Its ID-Theft Victims

The Truston Identity Theft blog has an interesting analysis of TJX's actions. The post covers two important points. The first is what I call "yield:" the number of ID-theft victims that opt-in for a company's free credit monitoring offer:

"They (TJX) offer credit monitoring to just 10% of the total breach number (455,000) and then announce a retail sale at the same time. If they require the victims to opt-in and order the monitoring to get it, then they will likely only have to pay for around 20–30% of the 455,000 they are offering it to. That’s a rule of thumb in the industry for the typical number of people that opt-in for free victim support for credit monitoring. So, 45 million accounts are breached and maybe TJ Maxx ends up paying for services for 90,000–135,000 people."

Wow! What a slick move to minimize responsibility. In my opinion, total sleaze.

Now the second point: synthetic ID-theft. This is when the identity thief mixes one person's SS# with another person's name in an attempt to evade detection. The Truston blog references Ed Dickson's Fraud, Phishing, and Financial Misdeeds blog:

"One thing that concerns me is that the settlement offer states that one of the requirements to receive compensation will be that the identification number compromised has to match their Social Security number. I guess that TJX and their affiliates don't want to address the rising phenomenon of synthetic identity theft? When synthetic identity theft is committed different parts of a persons identity are crafted to create a new one."

Ed also provides some good background on the shady world of re-selling personal data:

"In the identity theft world -- which is what the concern about this data breach is all about, when a SSN or SIN (in Canada) is compromised -- the criminal compromising the information has all the information necessary to complete a full identity assumption. In the dark world of Internet forums that sell this information, a complete identity (SSN, or SIN included) is often referred to as a "full." The complete information on a person is simply worth a little more money to the criminals purchasing it."

Lovely, eh?


Canadian Officials Criticize TJX's Data Security

More about TJX from yesterday's Daily Business Update:

"Retailer TJX Cos. failed to put in place adequate security safeguards to protect customer information, the privacy commissioner of Canada said today."

TJX operates the Winners and HomeSense retail chains in Canada. The news article explained further:

"A joint investigation by Canada's commissioner of privacy and Alberta's privacy commissioner was launched after TJX, the Framingham-based operator of such chains as T.J. Maxx and Marshalls, disclosed in January that its computer system had been breached, resulting in the theft of millions of credit card and debit card numbers..."

Perhaps most importantly:

"The company collected too much personal information, kept it too long, and relied on a weak encryption technology to protect it - putting the privacy of millions of customers at risk..."

Do you still want to shop at Marshalls, HomeGoods, and/or TJ Maxx? First, read this background about TJX's out-of-court settlement. Then, read a January 2007 TJX press release about how TJX was improving its data security:

"[TJX] immediately engaged General Dynamics Corporation and IBM Corporation, two leading computer security and incident response firms. TJX has been working aggressively with these firms to monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information. These firms have assisted TJX in further securing its computer systems and implementing security upgrades."

Yep! That's the same IBM that suffered its own data breach in February 2007 and lost an undisclosed number of records with sensitive personal data about its employees and former employees.

Last, the N.H. Department of Justice web site posts copies of all data breach notification letters it receives. I checked the site this morning and noticed that TJX hadn't updated their January breach notification letter, portions of which contain old and obsolete information.


TJX's Offer To Its ID-Theft Victims Deserves Scrutiny

At the Javelin Strategy blog, Mary Monahan analyzes TJX's announcement and settlement offer to its ID-theft victims:

"Late Friday night, after sundown on Yom Kippur to be exact, TJX made the announcement of the settlement agreement for their customer class action suits. In retail delivery, timing is critical and TJX has taken that message to heart. Tired of the constant negative PR, TJX decided to slip this announcement in at a time when it would get the least notice and press play."

I really like this part:

"... TJX has come to a settlement: three years of credit monitoring to those consumers whose personal information such as driver’s licenses and Social Security numbers were stolen in the breach (455,000) and a $30 TJX voucher for those clients who can show that they lost time and money due to its data breach (e.g., those whose credit card numbers were breached, namely, 45.7 million consumers), and $6.5 million to the attorneys."

Three years of free credit monitoring is a solid step in the right direction, and a longer period than most other companies' credit monitoring offer. More importantly, Monahan does an excellent job of shining a spotlight on TJX's marketing:

"A voucher to get millions of customers into its stores to shop. How neat and clean for TJX. And with a voucher, either money is left on the table, or consumers end up spending more money in the store to realize the full value of the certificate. Some lucky consumers will even get two vouchers if they can prove their costs exceed $60."

A voucher is good only if you plan to shop at a TJX brand store. If you are one of the thousands of former TJX customers who vow to never shop at a TJX-brand retail store again, the voucher is worthless. It's like giving somebody the sleeves off a vest. This is not responsible corporate citizenship. If TJX is going to pay its ID-theft victims, then pay them! Cash is always good. And if they can pay the lawyers in cash, they can pay their customers in cash, too.

The Javelin Strategy blog adds:

Vouchers to clear up lawsuits are frowned upon by consumer rights advocates because they can drive up sales; even while class action attorneys accept them eagerly because they pocket larger fees as a result. Note that attorney fees are not paid in vouchers; if they were, we’d quickly see an end to this settlement practice... this is a merchandising company who knows how to milk a data breach for every sales dollar."

I strongly encourage you to read the complete Javelin Strategy blog post... and boycott TJX brand stores. I already do. Here's the list of retail stores owned by the TJX:

  • A.J. Wright
  • Bob's Stores
  • HomeGoods
  • HomeSense (Canada)
  • Marshalls
  • TJ Maxx
  • TK Maxx
  • Winners (Canada)

To learn more, also read the TJX Settlement Agreement online and read this prior TJX post.


Equifax and Experian Follow TransUnion With Nationwide Credit Report Freeze

This is great news for consumers and it was expected. According to the Atlanta-Journal Constitution newspaper:

Under pressure from a big competitor and consumer activists, Atlanta-based Equifax said Friday it will let consumers nationwide "freeze" their credit reports to deter identity theft.

Equifax's service will be available at the end of October. Experian is planning an announcement to offer a comparable service within the same time-frame. Want to learn more? Read these prior posts about TransUnion, the Fraud Alert tool, Massachusetts' new identity-theft law, and insurance reports from Choice Trust.

While this is good news for consumers, the $10 fee to lift, remove, or add a credit report freeze is too high. Massachusetts' new identity-theft law sets a limit at $5, similar to several other states. And ChoicePoint is silent on providing a comparable service for C.L.U.E. reports.


F.B.I. Investigates Unisys For Homeland Security Data Breach

What is it with computer companies that know better and still suffer data breaches? First IBM and now this ZDNet news item about Unisys:

The FBI is investigating allegations that Unisys failed to detect a Chinese Web site's cyber break-ins on computers at the U.S. Department of Homeland Security and then tried to cover up its shortcomings, according to reports. Unisys won a $1 billion contract in 2002 to build and manage information technology networks at the department and the Transportation Security Administration. But evidence gathered by the Homeland Security Committee of the U.S. House of Representatives indicates network-intrusion devices were not properly installed and monitored, The Washington Post reported Monday.

Apparently, Chinese hackers broke into about 150 DHS computers from June through October of 2006. Note the number. That's not 5 or 15 or 50 computers, but 150! The F.B.I. is investigating Unisys for criminal fraud... falsifying reports to get a government contract.

It's really sad and laughable when computer companies that are in the business of data security, and who know better, don't practice what they preach.


TJX Settles Out Of Court On Data Breach Lawsuit

From the September 21 Boston Globe newspaper:

"[Reuters - September 21, 2007] NEW YORK --TJX Cos Inc said Friday it and Fifth Third Bancorp had agreed to settle class action lawsuits brought on behalf of customers in the United States, Puerto Rico and Canada who were victims of a criminal intrusion into TJX's computer system."

This news story also made headlines in Canada. What I found most important in this news article:

"Under the settlement, which is subject to certain conditions, TJX customers who had their drivers license or other identification information stolen after making returns without a receipt, are being offered two to three years of credit monitoring and identity theft insurance and the cost of replacing IDs. Other affected customers are to receive vouchers, the company said."

Note: TJX offered its identity-theft victims 2 to 3 years of credit monitoring, not one year as IBM offered in response to IBM's data breach.


Fraud Verification Phone Calls: Good or Bad?

In the Javelin Strategy blog, Heather Peters questions whether calls from your credit card issuer to verify purchases are stress or reassurance:

"I was recently on a vacation abroad. I failed to mention to my bank that I would be traveling. After a few transactions in Italy my HOME phone number was called and asked to validate the transactions. Now luckily I had family staying at the house and when I called to check-in they let me know the bank had called and needed me to call and verify use of the card for international transactions."

Heather wondered what would have happened if she hadn't called her credit card issuer:
1.What if I did not have someone at home – would they have frozen my card and left me in the cold?
2.The There was not an international number to call on the back of my card so it was really difficult and frustrating trying to contact them and let them know that yes I was traveling

I'm glad that Heather wrote about this. I agree. It is a good security habit for credit card issuers to contact cardholders when they see purchases outside of normal pattern. I don't worry about it because, a) I can check my home voice-mail remotely, and b) while traveling internationally, I always have Internet access and can lookup credit phone numbers at my credit-card issuer's web site.

I had a similar experience in 2004. I live in Boston. My employer sent me to London for a month-long business trip. Immediately, after that trip, I planned a cruise vacation around the Hawaiian islands. I sent a letter in advance to my credit card issuer informing them of my travel itinerary (and pre-paid part of my bill). I had no problems during both trips.

Before my trip, I'd also contacted my bank to verify ATM availability in London. My bank advised me that ATMs in London required a shorter PIN entered than the PIN I used in the USA. So, I modified my PIN accordingly.

All of this may seem like a hassle, but I look at it this way: this preparation is far less hassle than being stranded in a country without cash and without credit cards.


Credit Bureau Announces Nationwide Security Freeze

This is huge news... great news! The national credit bureau, TransUnion, announced in a press release on September 18, 2007:

"... effective October 15, 2007, it will offer the credit reporting industry's first complete file freeze solution. While consumer access to placing a file freeze continues to be driven at the state level, some state-enacted laws are not yet effective and other states have not enacted such laws. With its announcement today, TransUnion becomes the first credit reporting company committed to providing U.S. consumers in all 50 states and the District of Columbia with the ability to freeze their credit files, should they feel that step is  warranted."

This is great news because in helps everyone. It helps identity-theft victims stop thieves from doing further damage to their credit, and it helps everyone else prevent themselves from becoming an identity-theft victim.

TransUnion's Security Freeze tool is free for identity-theft victims and it costs $10 for others to add, lift, or remove a Security Freeze. TransUnion offers the True Credit web site for consumers to sign up for the security service. For $14.95 per month, consumers also get:

  • Unlimited access to their credit reports from all 3 national credit bureaus
  • Unlimited access to their credit scores
  • One-click access to lock or unlock your TransUnion credit report
  • $25,000 of identity-theft insurance at no additional cost
  • You can cancel the service anytime

The Security Freeze is a critical tool for consumers to protect their finances and fight identity theft. The Security Freeze tool is far stronger than the Fraud Alert tool. If the other two national credit bureaus -- and Choice Trust with their C.L.U.E. insurance reports -- are smart, they will provide the same tool soon. It needs to get done for complete protection for consumers.


Pfizer's Third Data Breach Confirmed

I listed in an earlier post companies facing data-breach-related lawsuits where personal data was lost or stolen. Well, there's more regarding Pfizer.

Earlier this week in his FTP Planet blog, Hugh Garber quoted a CSO news article:

"Pfizer Inc. appears to be having an especially hard time of late keeping its employee data secure. The company today confirmed that as many as 34,000 of its employees may be at risk of identity theft after a former employee illegally accessed and download copies of confidential information from a Pfizer computer system without the company’s knowledge. The compromised information included, names, Social Security numbers, dates of birth, phone numbers and bank and credit card information."

Geez. You'd think that Pfizer would have learned after their first data breach. Obviously not. Pfizer's employees and former employees should receive free credit monitoring and credit restoration for life.

Also, I agree with Hugh's conclusion:

I believe that it is the obligation of a company to protect the confidentiality and privacy of customer & employee data at all times. A big part of this responsibility is to ensure that files and data are secured and only authorized people have access to it. On an FTP server, this job falls to the network administer who can set up specific permissions to allow certain people to access certain folders and data (and thus blocking everyone else from accessing that same data).

Peter Rost titled one of his blog posts the best: "Quote: The clowns at Pfizer clearly have no way of keeping confidential data safe"

All of this should give the Louisiana lawsuit more ammunition. You can bet I'd never go to work for Pfizer givent heir poor data security history.


Your Phone Number on the 'Do Not Call' List May Expire Soon

To protect their personal data (and their sanity), many consumers have chosen not to receive phone-based offers from telemarketers. Yahoo News and the Chicago Tribune newspaper both reported today an Associated Press article:

The cherished dinner hour void of telemarketers could vanish next year for millions of people when phone numbers begin dropping off the national Do Not Call list... Numbers placed on the registry, begun in June 2003, are valid for five years. For the millions of people who signed onto the list in its early days, their numbers will automatically drop off beginning next June if they do not enroll again.

What's most important about this story is not the 149 million phone numbers registered in the Do Not Call database. What's most important in this story is the growing awareness of consumers of the tilt in the U.S. system making it easy for companies to share their personal data. The best evidence of this growing awareness is a comment like this:

"If you wanted to keep your numbers on [The Do Not Call list] for a lifetime, you should have that option. There's no reason I should need to remember to register every five years."

I agree! We consumers shouldn't have to re-register. The system tilt is the automatic opt-in. This tilt forces consumers to remember to re-register their opt-out at several sites, many of which have different expiration schedules:

  • To stop phone calls, the Do Not Call Registry operated by the U.S. Federal Trade Commission. Residents in some states must also contact the Telephone Preference Service operated by the Direct Marketing Association (DMA).
  • To stop e-mail offers, the E-mail Preference Service operated by the DMA.
  • To stop snail-mail offers, the Mail Preference Service operated by the DMA.
  • To stop pre-screened financial and insurance offers, the Opt-out Pre-screen resource operated by the Consumer Credit Recording Industry.
  • To slow down sharing of your credit information, contact the three national credit bureaus to place a Fraud Alert on your file
  • To stop sharing of your credit information, consumers in about 37 states can place a Security Freeze by contacting their local state agency or a national credit bureau
  • To stop sharing of your insurance information, consumers in about 11 states can place a Security Freeze on their C.L.U.E. insurance files at the Choice Trust site

Notice the trend? In all of the above sites, the burden is entirely on consumers to opt-out. This makes it harder for consumers to manage who has access to their personal data.

What to do: call your elected officials and ask them to support  House bill H.R. 3541. Want to learn more? See my prior post about opt-out resources for consumers.


TD Ameritrade's Data Breach Highlights Online Brokerage Security

I've written several posts about the missteps companies make after a data breach. Here is an example of one company communicating well with its customers to prevent data breaches.

This morning, I received an e-mail message from E-Trade titled "Tips to Protect your Identity." I was not surprised to receive this message, given E-Trades prior security e-mails and TD Ameritrade's recent data breach. E-trade's e-mail:

"Identity theft is a serious issue, no matter how it originates. The vast majority of online fraud is a result of a compromised personal computer - when a consumer knowingly or unknowingly discloses identifying information like their user name and password. By exercising caution and following some basic guidelines, you can reduce your chances of falling victim to online identity theft."

  1. Be suspicious of ANY email that asks for sensitive personal information, even if the sender seems to be familiar.
  2. Never open attachments or click links in spam or unsolicited emails.
  3. Avoid filling out forms contained in an email message or pop-ups, even if they appear to be from a legitimate company with whom you do business.
  4. Run the latest version of a proven anti-virus software program on your computer.
  5. If you have logged on to a Web site, log off when you are finished and close your browser completely.

"At E*TRADE FINANCIAL we protect every asset and transaction you make with our Complete Protection Guarantee, providing complete fraud coverage, payment and privacy protection. In addition, we've introduced the Digital Security ID(1) to help our customers protect their identities by making unauthorized account log on virtually impossible."

"Rest assured, E*TRADE deploys advanced protection solutions to ensure our systems are secure. Our strict physical, electronic and procedural safeguards are designed to exceed industry standards and safeguard customers' non-public information. We encourage you to take an active role in protecting your identity. Visit www.etrade.com/onlinesecurity for more details on these services as well as additional security tips. If you suspect that you have received a fraudulent email from E*TRADE, please contact Customer Support at 1-800-838-0908.

Sincerely,
Tom Roberts
Vice President,
E*TRADE Financial Corporate Services, Inc.

It's always a good business practice to issue prompt, timely communications that, a) remind your customers of good security habits, b) reinforce the company's e-mail and security policies, and c) provide customers with multiple channels of communication. I hope that TD Ameritrade customers receive something similar.


Companies Can Learn From Don Imus' Blunder About How to Manage a Data Breach

You may remember, earlier this year radio shock-jock Don Imus lost his job after making some insulting and offensive remarks on-air about a women's college sports team. You might say Imus had a data breach of the mouth.

In his article "What Don Imus Can Teach IT," Larry Ponemon (founder and CEO of the Ponemon Institute LLC) lists 10 things companies can learn from the Imus "implosion" about the prevention and containment of data breaches:

"1. It takes only one breach to make people unhappy and get you fired -- or, in the case of a company, lose lots of good customers. Some 20 percent of data-breach victims cut ties with institutions that compromised their privacy, according to one study we recently conducted."

"2. Never underestimate the cost of a breach. Not only did Imus lose his job, but the lost sponsors and reparations to the victims could cost millions. According to Ponemon Institute's 2007 Cost of a Data Breach study, breaches can cost companies millions of dollars... On average, the cost of a data breach is $182 per compromised record, a 31 percent increase over 2005."

"3. Reputations suffer and trustworthiness declines following a breach. In the days following his remarks, Imus struggled to regain his reputation and popularity to no avail. The same holds true for many organizations that suffer a breach. We conduct an annual study to determine which companies in a variety of industries are most trusted by consumers. In our 2007 Most Trusted Companies study we decided to track the impact a data breach can have on a company's perceived trustworthiness. There were 12 companies in our study that had data breaches that required them by law to notify consumers and employees that sensitive information was lost or stolen in the period following the 2006 study. In 2006, these 12 companies had aggregate trust scores that were 1 percent above the average score. Following the breach, their 2007 scores were 23 percent below the aggregate most trusted list average."

Amen to that!

My trust in IBM increased slightly when IBM notified me about their data breach, since I live in a state where data breach notification is not required.

My trust in IBM started its waver when IBM' notified me in May 2007 -- over 2 months after their February 2007 data breach. My trust in IBM started it's decline when I couldn't get any answers about the progress of its investigation into the data tape "loss." My trust in IBM declined when I learned about IBM's internal policy to archive forever the personal data of former employees, without providing a satisfactory explanation for archiving my personal data. My trust in IBM continued its decline when I learned about IBM's watered-down credit monitoring service offer.

The remaining 7 items in the "What Don Imus Can Teach IT" article are a worthy read. In my opinion, this article should be required reading not only for IT (Information Technology) professionals, but also required for CIOs (Chief Information Officers), senior Human Resources executives, and a company's marketing executives.


Inside Job at TD Ameritrade's Data Breach?

While many seem to be accepting at face value the spam claim by TD Ameritrade about their data breach, SC Magazine is asking one of the tough questions. In his article, Jim Carr writes:

"Was TD Ameritrade, which revealed on Friday that contact information for 6.3 million customers was stolen from one of its databases, victimized by an attack from an insider?"

Carr quotes Phil Neray, Vice President at Guardium, who asserts:

"This has all the signs of an inside job... I would say it's highly likely that is was done by a privileged administrator within Ameritrade."

My point: the hard questions have to be asked and answered. And this is one of them. I learned this from my experience with IBM's data breach. When companies experience a data breach, they have to be forthcoming with answers to the tough questions to give their customers (and investors) some assurances of data security. In my experience, IBM didn't and my confidence with IBM declined as a result.

Avoidance or reluctance to answer the tough questions means there's effectively no accountability... no oversight about the internal investigation. This leaves ID-theft victims wondering if anyone is telling them the truth, or the whole truth.


Is TD Ameritrade Doing Right By Its Customers After Its Security Breach?

In his Between the Lines blog, Larry Dignan discussed TD Ameritrade's data breach and his experience as one of 6 million Ameritrade customers affected. TD Ameritrade has hired ID Analytics, Inc. "to investigate and monitor for potential identity theft." According to Larry's blog, TD Ameritrade stated that:

  • "Assets are safe since user IDs, personal identification numbers and passwords were kept in a separate database;"
  • "Email addresses, names, addresses and phone numbers were taken. This fact explains why TD Ameritrade was investigating a bunch of spam complaints;"
  • "Account numbers, date of birth and Social Security numbers were in the breached database but not taken."

Is TD Ameritrade doing right by its customers?

After a data breach, companies seem quick to declare the "there's no evidence... sensitive data was used" line. Just  because Ameritrade claims there was no evidence of sensitive data taken (e.g., SS#, DOB) doesn't mean it wasn't taken. The lack of evidence doesn't mean a theft didn't occur, couldn't have occurred, or won't occur.

I call this "lawyer speak" and I wonder how often it is used to downplay the severity of a data breach or limit their liability. Lawyer speak can mislead ID-theft victims to believing the data breach isn't as serious as it really is. I encountered this lawyer speak with IBM, especially when IBM repeatedly made the same statement (no evidence of theft) and described the personal data as "lost" and not stolen.

Any time sensitive data is exposed, there is the risk it'll be used criminally. In my mind, the risk period is very long... basically the rest of the ID-theft victim's life.

Also, this lawyer speak seems to be the first step at shifting the burden of the data breach from the company to the ID-theft victims. As long as Ameritrade claims that the breach was spam, it's no big deal and probably not worthy of more aggressive actions... like providing Ameritrade customers with free credit monitoring and credit restoration services for the next 2 years. The burden today is on the ID-theft victims to monitor their accounts and find any evidence (beyond spam) of theft or fraud.

Fortunately, we've discussed on I've Been Mugged many of the issues confronting Larry and Ameritrade customers:

  1. Timely communications of information: Ameritrade should have a web site or site section dedicated to informing affected customers... with regular updates... not just a PDF of a press release in its investor relations site. Don't do what IBM has done: IBM hasn't updated tits data breach site since their original announcement.
  2. Status of the data breach investigation: Ameritrade claims that sensitive data (e.g., DOB, SS#) was exposed but not stolen. Huh? Identity thieves know the value of personal data. Ameritrade needs to provide clear evidence supporting this claim as 100% accurate, or abandon it. If Larry doesn't get this evidence, then he has to assume the worst and act accordingly to protect his identity.
  3. TD Ameritrade is required by law in many states to disclose the data breach. ID-theft victims should know their rights; some are state-specific. Good starting resources are the ID theft Resource Center and the Privacy Rights Clearinghouse. Links to more resources are in the column on the right
  4. Understand the best features in a credit monitoring service (which TD Ameritrade should offer Larry since their data breach created the ID-theft risk). Learn from the concerns with IBM's credit monitoring offer. Ameritrade probably won't offer ID-theft victims a credit monitoring service as long as they cling to the "no evidence that sensitive data was taken" claim and treat the data breach as a spam-only issue
  5. Understand the need t monitor credit reports and the limits of the Fraud Alert tool offered by the credit bureaus

If I were Larry, I wouldn't be so quick to accept TD Ameritrade's statement at face value. Why? First, identity thieves know the value of personal data. DOBs and SS#'s are far more valuable than e-mail addresses for spam. Second, the fact that hackers placed unauthorized code on Ameritrade's computers shows an intent to steal, to be stealth about it, and to steal continually. Third, this isn't Ameritrade's first data breach.

I suggest that Larry talk with Ameritrade about the data breach, as I did with IBM. I'd demand details about TD Ameritrade's data breach investigation, as I did with IBM. If Larry doesn't get satisfactory answers, he should move his accounts to another brokerage. I wish that I had that option with IBM. I didn't because IBM was a prior employer, and I didn't have a customer relationship with them.


Skepticism About IBM's Data Breach Notice

After reading several blog posts about IBM's data breach, I have been surprised by the number of former employees who consider IBM's data breach letter a scam. From the Being Peter Kim blog:

"Has anyone been able to verify the authenticity of this whole thing? It has warning signs: 1) No Dates, 2) No street addresses, 3) "Kroll Fraud Solutions" is not listed with BBB, 4) Kroll.com does not list an ‘office’ in Des Moines, IA, 5) IBM’s websites to not have any information about any of this, 6) Major US news sites (CNN, NBC, ABC) do not have info on this. It all seems very suspicious!" [Posted by Jennifer on 30 June 2007]

From the Brain Lint blog:

"We received one of these too. Thinking it would be a clever scam and wondering if we should respond or ignore or pursue and turn them in… Or is this legit? No way to tell short of calling IBM. Number for Kroll is in the mail and will call but still…" [Posted by Lynn on 9 June 2007]

"I got the same letter, at first I thought it was a scam by the company offering the Identity Theft protection. I worked in Clearwater, FL for IBM back in 2000-2001 for Global Services. Was this a regional or divisional problem for IBM? I am contacting friends to see how many people were involved. It is ironic this happened RIGHT after the notices for suing over lost overtime went out to IBM employees?" [Posted by Former Blue on 12 June 2007]

"I just went through a pile of mail and found the same letter. Ironically, I never worked for IBM, although I did work for Lotus but left just before IBM acquired them in 1995. Like Lynn, I’ll be checking this thing every which way to make sure it’s not scam." [Posted by Jack on 18 June 2007]

Some skepticism is understandable given all of the phishing scams e-mail users endure. But I haven't received any phishing letters via postal mail. I hope that isn't an emerging trend.

While some skepticism is healthy and understandable, there are plenty of authoritative news sources and blogs to verify IBM's data breach, an IBM web site dedicated to the data breach, and IBM's breach letter posted at the New Hampshire Department of Justice web site.

The fact that some consumers are skeptical, raises some interesting issues:

  • What responsibility do companies have to notify ID-theft victims (customers, employees, and former employees) via multiple communications channels? The above skepticism could be an indicator that an e-mail-only or postal-mail-only data breach notice is not enough.
  • What responsibility do state governments have to facilitate data breach notifications? The example that comes to mind immediately is how the state of New Hampshire's Department of Justice posts data breach notifications on its web site.
  • What responsibility do consumers have to verify via an alternate channel any data breach notifications received?
  • Are the current data breach methods sufficient? Like anything else in life, standards change or evolve. So too should data breach notification methods.

Data Breaches and Lawsuits

After IBM notified me of their data breach, I've started reading about lawsuits against companies with data breaches which exposed the personal data of employees and former employees -- and not just data breaches affecting a company's customers.

NetworkWorld reported that, Girad Gibbs, a California law firm, has filed a class-action lawsuit against Fidelity National Information Services (FIS) and a subsidiary, Certegy Check Services, for the data breach which potentially compromised the personal data of 8.5 million Fidelity consumers. The suit charges both companies with, "negligence, invasion of privacy and breach of implied contract."

Earlier this year, the Massachusetts Bankers Association filed a class-action lawsuit against TJX Companies, Inc. for its massive data breach where the credit card and debit card information of more than 45 million customers data was compromised. The banking group seeks tens of millions of dollars to recover costs since its member banks were forced to cancel and reissue thousands of debit cards. Some experts estimated the cost to be at least $25 per re-issued debit card. The Connecticut Bankers Association and the Maine Bankers Association have joined this lawsuit. During the data breach, thieves first hacked into TJX's computer systems in 2005 stealing data from as far back as 2003.

The American Federation of Government Employees (AFGE) filed a lawsuit against the Transportation Security Administration (TSA) after a TSA data breach exposed the personal data and employment records for 100,000 employees. The AFGE represents workers in the Department of Homeland Security. The "lost" computer hard drive contained names, SS#'s, birth dates, payroll, and bank account information. The lawsuit charged, "that by failing to establish safeguards to ensure the security and confidentiality of personnel records, TSA violated both the ATSA (Aviation and Transportation Security Act) and the Privacy Act of 1974."

In June 2007, a former employee filed suit against Pfizer, the world's largest drug company, claiming that the data breach caused "fear and apprehension of fraud, loss of money and identity theft." The data breach exposed the personal information (e.g., names, SS#'s, addresses, home and wireless phone numbers, and payroll bonus information) of over 17,000 former employees and employees. According to the news reports, Pfizer offered its ID-theft victims a $25,000 identity theft policy and one year of free credit monitoring. Others were concerned about Pfizer's delayed data breach notification.

I can definitely understand the feelings of apprehension. What about you?

Next entry: skepticism about IBM's data breach notice


New ID Theft Law in Massachusetts (Part 2)

Since IBM notified me about their data breach, I've paid more attention to Identity Theft legislation in Massachusetts, where I live and work. If you live in Massachusetts, then this new law affects you. If you live in another state, this is an opportunity to evaluate your state's identity theft laws.

Before Massachusetts' new ID-theft law becomes effective in November 2007, I wanted to understand the details and what to expect. Of course, I want to judge how well my state implements this new law.

So, I read both the Massachusetts House and Senate draft versions of the proposed law, plus the final version of the new law. This helped me understand the features and benefits of the new law (and which features didn't made it into the final version of the new law). Negotiations between state lawmakers, companies, and credit bureaus weren't covered much in the local news media, but I firmly believe that it affected the features in the new law.

If you want to read the new law, see the St.2007, c.82: Security Freezes and Notification of Data Breaches. The link is also listed in the right column under "Massachusetts Resources." The major features in Massachusetts' new identity theft law:

  • Personal data to be protected: regardless of the format it is stored in, the personal data companies and state agencies must protect includes first name and last name or first initial and last name of a resident with the resident's SS#, driver's license number, state identification number, financial account data (e.g., debit or credit card number in combination with or without a security code, access code, or password)
  • Data breach notification for consumers: companies and government agencies must notify as soon as possible affected Massachusetts residents whose personal data (e.g., SS#, driver's license number, etc.) have been lost or stolen. Notice is triggered by unauthorized access to the personal data, regardless of whether there is a likelihood of harm. It doesn't matter if the data is encrypted or not.
  • Data breach notification: Companies and state agencies must also notify the Massachusetts Director of Consumer Affairs and the Attorney General. The notice must describe the nature of the data breach, the number of Massachusetts residents affected, and any steps taken relating to the data breach. The notice to consumers does not have to include these details
  • New "Security Freeze" option: allows consumers to "lock" their credit reports to prevent identity thieves from fraudulently creating new accounts in their names. This option is free for ID-theft victims; up to $5 for others. Credit bureaus must provide a PIN within 5 days of the consumer's Security Freeze request. The PIN is used by the consumer to control access to their credit report. Credit bureaus must implement a Security Freeze within 3 days of the consumer's request; and lift (or remove) the freeze within the same number of days
  • Disposal of records with personal data: the new law sets rules about the proper destruction of records by companies and government agencies
  • Consumer access to police report: local police must provide ID-theft victims with a copy of their police report within 24 hours, even if the identity theft occurred elsewhere. This provision of the law takes effect February 3, 2008 and not in November 2007 with the rest of the law

This is great news and a huge step forward. Previously, data breach notification was not required. Now, it is. The Security Freeze provision offers better and stronger protection than the existing Fraud Alert tool from the credit bureaus. However, there are some limitations in the law:

  • The new law does not specify exactly how quickly (e.g., number of days, weeks, or months) data breach notification must be sent. Notice must be sent in writing to each Massachusetts resident affected by a data breach. In my opinion, speed is important since identity thieves act quickly
  • Possible loophole: "substitute notice." The law reads, "Notice shall include: (iii) substitute notice, if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice." Additionally, the company or government agency can notify ID-theft victims via e-mail, a posting on a web site, publication in broad news media, or via the state department of consumer affairs
  • The "substitute notice" feature could be a problem for former employees and retirees. While consumers who are stockholders or have a retirement account with their former employer likely monitor the merger/acquisition/name changes of their former employer, others may not. Consumers who don't monitor the merger/acquisition/name change of a former employer may not recognize the substitute notice from the new company
  • The new law doesn't state what the penalties are for credit bureaus that violate the Security Freeze features. Section 9 of the new law reads, "You may be entitled to collect compensation, in certain circumstances, if you are damaged by a person's negligent or intentional failure to comply with the credit reporting act." May be? To me, penalties are important should a credit bureau fail to implement a Security Freeze within the days specified, or discloses a consumer's credit report despite an in-place Security Freeze
  • The new law doesn't state whether or not the Security Freeze feature applies to C.L.U.E. reports. The new law does mention "consumer reporting agency" which probably applies to ChoicePoint, the dominant C.L.U.E. reports provider
  • Disposal of records feature: the penalty for violators seems very weak, in my opinion. the law reads, "Any person or agency who violates the provisions of this chapter shall be subject to a covol fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal." $100? Geez! We need stronger laws here to encourage compliance, not weak laws to undermine compliance.
  • The new law doesn't state whether the Massachusetts department of justice will post data breach notices online, like New Hampshire does

What do you think of the new law? How does it compare to your state's ID-theft law? Has your former employer provided substitute notice? I've Been Mugged readers want to know.

Next entry: data breaches and lawsuits