Previous month:
December 2007
Next month:
February 2008

37 posts from January 2008

Appeals Court Upholds Verdict in Sloane v. Equifax

A recent FindLaw article by Anthony Sebok reported:

"The U.S. Court of Appeals for the Fourth Circuit recently upheld a sizable verdict against a credit agency for failing to promptly and efficiently aid a victim of identity theft. The decision in Sloane v. Equifax Information Services does not break new doctrinal ground. It does, however, underscore how identity theft could become a headache not only for individual consumers, but large financial reporting companies."

In 2003, Suzanne Sloane (Sloane) had her SS# stolen at Prince William Hospital in Virginia by a hospital employee named Shovana Sloane. The identity thief quickly ran up a $30,000 debt in Sloane's name. Sloane contacted Equifax of the theft and provided appropriate documentation of the fraudulent charges according to Equifax's instructions. Shovana Sloane was later arrested and convicted of the identity theft crime. At the jury trial, Equifax was found liable through its incompetence to have compounded the problem and never accurately fixed Suzanne Sloane's credit report.

"Finally, in November 2005, Sloane sued all three of the national credit reporting agencies, the Prince William Hospital and the employment agency that had helped place Shovana Sloane. Sloane settled with all the defendants but Equifax."

Here's the most important part of the story for consumers:

"Sloane sued the credit agencies under the Federal Credit Reporting Act, a 1968 law Congress passed to protect consumers from negligently-maintained credit records. The law sets out requirements to ensure that credit reporting agencies maintain accurate records, and it provides for a private right of action by injured consumers, who may seek to recover damages in the event that a credit reporting agency negligently violates any of the statute's requirements. At trial, the jury found that Equifax had violated the FCRA and awarded Sloane $106,000 in economic losses and $245,000 in mental anguish."

The Appeals Court did reduce the amount of Sloane's award to $150,000. Maybe the credit bureaus will now take identity theft more seriously. In my opinion, the reduction was unwise since identity theft strikes at a consumer's ability to take care of their self and their family. In his article, Sebok correctly concludes:

"As the Fourth Circuit itself noted, FCRA cases are changing. Whereas errors used to arise from simple carelessness within the banking industry itself, the possibility of the errors' resulting, instead, from identity theft, as occurred here, is increasing, along with the ubiquity of the Internet, Wi-Fi, and smartphones. Credit reporting agencies will be the means by which much more misinformation will be "published" and the consequences of lax practices for correction will grow even more severe."


Good News On The Blogging Front

For those that live and work in the New England area... I will be speaking at this ACLU conference on January 26, 2008 during a workshop titled “Blogging For Civil Liberties.” I am quite excited about this event, since it's an opportunity to raise awareness about identity theft, privacy, and corporate responsibility issues,... plus promote the I've Been Mugged blog.

To learn more about the conference, see the ACLU conference site:

Reclaiming Our Civil Liberties


Twice Bitten: Acts of Stupidity Can Lead to Identity Theft

Chris Soghoian has an excellent post in his C/Net Surveillance State blog:

"A British TV presenter has learned the hard way that identity theft is serious, and in the process, become the joke of the moment for privacy bloggers. More importantly, this is the second time in just one year that such a thing has happened."

Soghoian wrote:

"Jeremy Clarkson, host of the BBC show Top Gear, recently wrote an article for the U.K.'s Sunday Times in which he ridiculed the uproar that had occurred after the British government admitted to losing two compact discs containing the personal information on 25 million people. To prove his point that there was no risk of financial fraud for those consumers, he published his bank account details, and instructions on how to locate his address."

Clarkson quickly changed his opinion of identity theft after an identity thief used Clarkson's data to create an automatic bank transfer to the Diabetes UK charity.

Recently, a friend in Oakland called to ask me about Lifelock. Soghoian has clearly "connected the dots," since he also wrote about Lifelock in the same post:

"Todd Davis is the CEO of LifeLock, a company that offers a mostly useless $10 per month identity theft protection service. In an effort to eat his own dog food, and promote his company's service, Mr. Davis includes his social security number in all of the company's advertisements--see here. A full page ad in this week's USA Today had his SSN listed in big letters. Making a mockery of LifeLock's identity theft protections, a Texas man in 2006 was able to secure a $500 payday loan with Mr. Davis' social security number."

If you are considering Lifelock for a credit monitoring service, I also encourage you to read this Phoenix New Times article before making a decision.


New Wireless Identity Protection Product: Armadillo Dollar

Many of us already have Radio Frequency Identification (RFID) cards in our wallets or purses. You have an RFID card if it's a card that you wave near (about 2 inches) a wall- or table-mounted reader. RFID cards are supposedly easier to use because the RFID card and the RFID reader don't have to physically touch. They just have to be close enough -- a few inches -- for the reader to access the information stored on the RFID card. Some credit cards, debit cards, and store charge cards are RFID cards.

I have two RFID cards. One is the security badge to enter the office building and my employer's offices. The second is my Charlie Card to ride Boston's MBTA mass-transit system. When I worked in London in 2004, my Tube pass was an RFID card.

While I realize that RFID is here to stay, I am not wildly excited about the technology because it's security gaps are well known, and are dependent upon the issuer properly encrypting the sensitive personal data stored on each RFID card. Identity thieves can use a portable RFID reader to collect personal data from unsuspecting RFID cardholders: a process called a "skimming." The thieves can then create, use, and sell duplicate, bogus RFID cards. And, it's almost impossible for the average user to know when an identity thief has used a skimmer to steal your personal data from an RFID card.

With this in mind, I was curious to read this TrustedID blog post:

"Armadillo Dollar, a new product created by Wisteria House Products, offers protection against this new wireless identity theft and RFID monitoring. Users place the product in their wallet, and it blocks the transmission of sensitive private information from RFID (Radio Frequency Identification) enabled debit/credit cards or employee badges. The user can move around undetected by RFID readers, and wireless identity thieves."

If you want to learn more about the RFID technology, read the RFID Journal, the RFID blog, or visit armadillodollar.com. I haven't yet tried the Armadillo Dollar product, so I can't speak to how effective it is. If any I've Been Mugged readers already use the product, please share your experiences.


4 Of 10 Small/Medium Businesses in the US Are Not Secure

Darknet recently reported the results of a recent survey of 455 small and medium-sized businesses in the United States:

  • "42% do not consider their networks to be secure
  • 32% have suffered a breach over the past 12 months
  • 96% and 93% have anti-virus software and firewalls; 80% have anti-spam products
  • 71% say downtime and security issues are their main daily IT concerns
  • 51% identify user support as a major daily concern
  • 39% say email viruses are the greatest security risk
  • 55% spend 10% or less of their IT budget on security measures
  • 77% say this budget is enough to cover their security requirements
  • 48% believe that better awareness on security among employees would improve the level of security while 25% want senior management to be more aware of security issues"

Of the 32% that reported a breach, the breach was caused:

"mainly due to a virus attack (69%), followed by infected internet downloads (30%) and loss of hardware, e.g. laptops (24%). Only 2% reported a breach involving some form of fraud or identity threat."

The survey was conducted in October 2007 by eMediaUSA for GFI Software. The survey respondents were senior executives or senior IT administrators. Download full survey results and methodology (Adobe PDF).


Social Here, Social There, Social Security Numbers Everywhere!

A friend , Catherine,sent me the link to this recent Washington Post newspaper article which highlighted a huge identity vulnerability in the USA. Frankly, there are millions of paper documents in federal, state, and local records which disclose consumers' Social Security numbers:

"Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."

This is a very dangerous situation. I cannot over-emphasize the risk. The large number of documents containing Social Security numbers with accompanying names, addresses, and birth dates makes it very easy for identity thieves to visit a local courthouse or government office and collect personal data from paper (and online) records documents.

While the federal law was changed in 2001 to remove Social Security numbers from documents, the law doesn't include documents produced before then and documents in state and local government records files:

"A recent spot-check found the nine-digit numbers -- introduced in 1936 to track employee earnings and benefits -- on hundreds of land deeds, death certificates, traffic tickets, creditors' filings and other documents related to civil and criminal court cases. Federal courts have banned the numbers from appearing on public documents since 2001... However, millions of paper records were filed across the United States before the laws and rules took effect. Generally, such records are not covered by the prohibitions. And court clerks said it would be virtually impossible to redact all of the Social Security numbers in them."

The article also highlights central Virginia activist Betty "B.J." Ostergren, who pushes lawmakers and government agencies to take sensitive personal data off state-run Web sites. Ostergren operates the thevirginiawatchdog.com site, which lists examples of public figures whose Social Security numbers have appeared in public records.

One thing we consumers can do is press our state and local politicians and government to protect our personal data which resides in records documents. The best summary:

"It's alarming, because the government should be setting the example in really trying to protect people's private information," said state Sen. Jamie B. Raskin (D-Montgomery). "Look, there's a whole criminal underground now that thrives on stealing people's credit cards and usurping their identity for as long as they can."


Sears Is Sued for Data Breach

After news reports documented how Sears' ManageMyHome.com site exposed customer purchase data to the public (e.g., any web-site visitor who requested it), a New Jersey resident has filed a $5 million class action lawsuit against the retailer. According to the InformationWeek article:

"In a complaint filed on Friday in Cook County, Ill., where Sears has its headquarters, plaintiff Christine Desantis alleges that the company's exposure of customer data represents a breach of contract and a violation of the Consumer Fraud Act. The $5 million sought is to cover payments to affected consumers and attorneys, and the cost of injunctive relief; no individual is seeking more than $75,000, according to the legal filing."

The lawsuit argues that Sears failed to take reasonable steps to protect consumers' private data.


Unsecure Sign-in Pages At Web Sites

In a prior post, I listed my personal data New Year's Resolutions for 2008. One of my resolutions is to contact companies I do business with online that have gaps in their data security. Earlier today I contact NetFlix about their customer sign-in page:

"I would like to inform you that the NetFlix Sign-In page is unsecured. That is, it is http:// when it should be https:// . This is very important since credit card information is attached to my account and to my sign-in information. The work-around I have used to-date has been to click the "Continue" button since your site currently serves up a secure (e.g., https://) Sign In Error page. Then I enter my sign-in information.

While I am generally a satisfied NetFlix customer, this unsecured sign-in page is a big problem. I blog about identity theft and I'd hate to see NetFlix get hit by hackers or identity thieves who might harvest customers' sign-in information from an unsecure sign-in page."

I also sent a similar e-mail to TypePad, the producer of this blogging software. TypePad has a similar problem with an unsecured Member Log-in page. You might want to check the web sites you sign into. While banks and financial institutions are good about providing secure sign-in pages, retailers don't seem to do as good a job.

Also, I've found that the web-savvy companies respond quickly to e-mail inquiries. We'll see how soon TypePad and NetFlix respond to my inquiry.


Credit Monitoring vs. Credit Restoration: What's The Difference?

Recently, a friend asked me what the difference is between "credit monitoring" and "credit restoration." While writing this blog, I kept some notes which morphed into the comparison chart below:

Credit MonitoringCredit Restoration
Definition The process of reviewing a consumer's credit reports and credit scores at the three national credit bureaus. May also includes alerts when a credit bureau provides the consumer's credit report to potential lenders. A process of notifying law enforcement, credit bureaus, banks, lenders, state and local government agencies, federal agencies, and other companies about the theft of a consumer's identity and/or money; and the process of correcting the information in the victim's credit reports.
Advantages 1. Includes alerts via cellphone and/or via e-mail

2. Timely alerts minimize the amount of money stolen or damage done by identity thieves

3. Almost always provided for free for 1 or 2 years by companies that have had a data breach

4. Service usually includes the full text of your credit report from all 3 national credit bureaus

5. Service may include tips on how to improve your credit score and manage your credit
1. Professionals do the work a consumer may not have the time or knowledge to complete

2. The better services include both credit/financial and non-credit/criminal work

3. The better services do most or all of the restoration work as the victim's agent

4. May include an insurance policy to cover expenses and legal fees incurred

5. Sometimes provided for free for 1 year by companies that have had a data breach
Disadvantages 1. Monthly fees vary widely

2. Can be difficult to compare services

3. Many credit monitoring services don't include credit restoration services
1. Monthly fees vary widely

2. Can be difficult to compare services

3. Usually, insurance doesn't cover actual money lost or stolen

4. Often not included in many credit monitoring services
Availability Provided by many banks, credit bureaus, and independent companies Provided by some banks, but mostly by independent companies


Which is best? It really depends upon your personal situation. If you are unfamiliar with identity theft, then a comprehensive credit monitoring service probably is best. Several resources are listed in the right column under "Credit Monitoring Services." If you are a DIYer (Do It Yourself) who gets your free credit reports at www.annualcreditreport.com, then a credit restoration service may be best.

As things change, I will update the above chart.

Want to learn more? Read prior posts about credit-monitoring services. You probably will want to read about the Security Freeze and C.L.U.E. insurance report topics. I urge everyone to consider opt-out resources to reduce your identity theft risk.


Sears Exposes Customers' Purchase Information

A prior post explained the data privacy problems at the Sears.com and Kmart.com sites. In his blog, Harvard Business School professor Ben Edelman documented customer purchase information is exposed by the Sears "Manage My Home" community portal.

There are smart ways to create a community portal for customers. This is not one. Not even close.

It is a particularly bad implementation because it makes it easy for scammers to abuse Sears consumers. And, it makes it easy for thieves to case homes online to decide which homes have the most valuable items to steal. How? Thieves can get a consumer's name, phone number, and address from any online (or print) telephone white page directory.

Also, the ComputerWorld publication reported:

"US retail giant Sears Holdings has taken part of its Managemyhome.com Web site offline following revelations that the site was making customers' purchasing histories publicly available. Sears disabled the site's "Find your products" section on Friday following criticism from privacy advocates, who said that fraudsters could use information provided by the site to scam Sears customers."

Want to learn more? Read about Sears spyware and poor consumer disclosures.


Fraud Alert or Credit Freeze: What's The Difference?

While discussing identity theft with a business acquaintance, the topic came up about how best to protect our identities. The person mentioned that they had a Credit Freeze in place, but that it was only good for 90 days. This was a clue to me that the person had a Fraud Alert in place and not a Credit Freeze. A comparison of the two options:

Fraud / Security AlertCredit / Security Freeze
Definition A special message attached to a consumer's credit file that indicates the individual may be a victim of identity theft. The alert may require potential lenders to contact the consumer via phone before issuing credit. A feature for national credit reports where all companies and potential lenders (except where exempted by law) cannot access a consumer's credit report without the consumer's permission.
Advantages 1. Free for consumers

2. Alert durations available for 90 days or 7 years. Military personnel: Active-Duty Alert (12 months)

3. After adding an alert at one credit bureau, the other 2 credit bureaus automatically add an alert
1. Generally, free only for identity theft victims (IL, NM, and RI: free for all residents 65+)

2. Stops identity thieves from opening new accounts or getting credit, loans, or mortgages in your name

3. Stops credit bureaus from distributing your credit report

4. Consumer can lift or remove the freeze when needed for potential lenders (PIN number provided)
Disadvantages 1. Credit bureaus still distribute your credit report

2. Identity thieves can apply for credit or loans and approval may still "sneak through"
1. If you are not an identity theft victim, fees apply to add, lift, or remove a freeze at each credit bureau

2. You must add, lift, and remove a freeze separately at each credit bureau

3. To apply for credit, you must temporarily lift the freeze on your credit reports. This may cause a delay getting credit approval

4. Banks and companies that provide consumer data to the credit bureau will not be allowed to update the name, address, SS#, and birth-date data on your credit reports
Availability Nationwide Nationwide, including Puerto Rico, Guam and the U.S. Virgin Islands
Other 1. Adults only 1. Adults only

2. Temporary freeze lift: 3 days minimum and 30 days maximum


Want to learn more? You should be aware of certain identity-theft situations where neither a Security Freeze nor a Fraud Alert will prevent. Also, the Security Freeze laws in many states do not cover consumers' C.L.U.E. insurance reports. You still should shred snail-mail and paper documents with sensitive personal data. And, for maximum protection you should also take advantage of the opt-out resources.


Sears: Bringing You The Softer Side of Spyware

A friend, Lisbeth, sent me the link to a very interesting post at the Ars Technica blog by Jacqui Cheng about Sears and Kmart:

"Sears and Kmart are places you might go when you need a new air conditioner filter or a lawnmower; they're not generally thought of as havens for spyware. But that's what the two stores have become, at least online, where their web sites were found to be installing software to track users' every online move—all without their knowledge. Security researchers are now hammering Sears (the owner of both Sears.com and Kmart.com) for the move, despite Sears' claims that users were notified adequately beforehand."

Cheng's post is a must-read, whether or not you shop at Sears or Kmart. Cheng describes in detail how the Sears.com and Kmart.com sites install spyware on community users' computers without their permission; and how Sears.com presents duplicitous privacy policy information. While the privacy policy should be consistent for all users, the web site presents different policies to different users... all without any upfront and clear warnings.

In many ways this may be worse than the Facebook Beacon program debacle since the spyware tracks all computer usage, and not just usage at Sears.com and Kmart.com sites. It's another example of how companies are not honest, direct, and clear about how they collect, archive, and protect customer information online. In my opinion, senior managers at Sears should go to jail as a result.

I also checked the TRUSTe.org site to see if Sears was listed there. It wasn't listed -- and shouldn't be listed since TRUSTe.org maintains a list of companies that properly handle and disclose to consumers their company's and web site's data privacy and opt-in methods.

When companies like Sears treat consumers and customers in this manner, it ensures that I won't shop there. And I hope that you won't shop there either. Or even better: write to Sears and tell them you won't shop there until they stop this practice. I did.


Identity Theft Predictions For 2007 Come True

At the end of 2006, the Identity Theft Resource Center (ITRC) made five predictions about identity theft for 2007. Sadly, the ITRC was correct on all five predictions:

  • "There will be an increase in check fraud, check synthesizing, and check counterfeiting.
  • Phishing will continue to grow as a problem.
  • Child, family, and domestic identity theft victims will be acknowledged by law enforcement and companies.
  • There will still be a lack of sensitivity and responsiveness toward victims by some law enforcement agencies, companies, and government agencies.
  • We will see more communication between various law enforcement entities in multi-jurisdictional cases including the creation of regional taskforces."

The ITRC also made predictions for 2008:

  • "... [identity] thieves are getting younger and younger. Recently two people in their early 20’s were arrested, in possession of sophisticated forgery equipment. This is a strong indicator that identity theft is becoming a lucrative career path.
  • Identity theft will continue to grow more international in scope. Scams will become more sophisticated and will be harder to detect, as thieves become more industrious and skilled at designing viruses,..
  • There will be an increase in the number of breaches due to poor information handling policies and practices.
  • There will be a continuation of contradictory studies with less agreement on victim census, cause and effect, facts and overall cost of identity theft. This will lead to confusion, misguided legislation and governmental actions.
  • On the positive side, ITRC believes that businesses will develop and implement better ways to authenticate the identity of applicants including Internet and telephone applications.
  • There will be a higher recognition of identity theft as a crime by law enforcement. This will lead to more reports written to assist victims in taking advantage of state and federal victim recovery rights.
  • There will more legislative action on the issue of identity theft, including limiting the use of Social Security Numbers.
  • States and non-profits will be in a better position to provide more victim assistance at no charge."

All of this tells me that we consumers have to be more engaged with issues associated with identity theft. We have to be smarter about where we shop and how we pay for purchases. We have to be more diligent about monitoring our financial files and credit reports. We have to be responsible in using anti-virus software and creating strong passwords. And, we consumer have to hold accountable the companies and agencies that lose our personal data; and the politicians that fail to support identity theft legislation.


New Year's Resolutions: How To Protect Your Personal Data

The second half of 2007 was a busy year for me. First, I learned that IBM lost my personal data during a data breach. Then, I learned about identity theft and some of the ways to protect myself. Along the way, I started this blog and learned about fraud alerts, security freezes, and corporate data breaches.

Before compiling my list of New Year's resolutions, it seemed wise to list the activities and habits I have already started during 2007:

  • I shred all snail mail that might be useful to identity thieves
  • I check my Social Security Earnings Record at least once every year
  • I keep the e-mail spam filter set on "High" at my Internet Service Provider
  • When searching with Google.com in my Firefox web browser, I use McAfee SiteAdvisor to avoid dangerous sites
  • Immediately after learning about IBM's data breach, I placed a Fraud Alert on my credit reports
  • I checked my 3 credit reports: Experian, TransUnion, and Equifax
  • I checked my C.L.U.E. insurance report with Choice Trust
  • I set up e-mail alerts with my two credit monitoring services to inform me if anyone attempts to access my credit reports
  • I installed better anti-virus software protection on my laptop computer
  • I stopped using my ATM debit card for purchases at retail stores, and use cash or a credit card
  • I opted out of pre-screened credit and financial offers - both e-mail and snail-mail
  • I went paperless with my online banking and set up alerts to notify me immediately
  • I created stronger passwords for all of my sensitive online accounts

I feel really good about these accomplishments. You can read about them in prior posts. Just click on one of the topics in the right column or start with my first I've Been Mugged post.

Now that 2008 is here, I realize that there's more to do to better protect my personal data. I've learned so far that there's no single "silver bullet" solution to protect myself from identity theft and identity fraud. The tools and resources for consumers are constantly changing and evolving.

My list of identity protection resolutions for 2008:

  • Place a security freeze on my credit reports
  • Read "The Wall Street Journal Complete Identity Theft Guidebook" by Terri Cullen
  • Continue to do business online only with companies I already know
  • Always check both the Better Business Bureau and TRUSTe web sites before doing business with a company I don't know
  • Check my Medical Information Bureau report
  • Guard my health-care insurance card as carefully as I guard my credit cards and Social Security card
  • Insist that the companies I do online business with offer secure sign-in pages (e.g., https://) and if they refuse switch to another company
  • Research credit restoration companies to decide whether to keep my current service or switch to a better service
  • Periodically, check the IBM data breach web site for any news or updates regarding their February 2007 data breach
  • Change my online passwords every 3 months

What are your New Year's resolutions to protect your personal data?


Some Sanity Amidst Facebook's Beacon Debacle: TRUSTe

In prior posts, I discussed Facebook's bumbling of its Beacon program. I was pleased to read this in the TRUSTe blog:

TRUSTe has been working closely with Facebook during the Beacon launch, and the subsequent change to opt-in user control. In addition to oversight regarding updates to the Facebook privacy statement, we announced today model privacy statement language for Beacon partners which plainly explains to consumers what information is collected, and how to exercise their options for control. Websites that are Beacon partners are also responsible for disclosing when and how their customer data might be used.

See the above blog entry for details. Who is TRUSTe? TRUSTe describes itself as:

"... an independent, nonprofit enabling trust based on privacy for personal information on the internet. We certify and monitor web site privacy and email policies, monitor practices, and resolve thousands of consumer privacy problems every year."

TRUSTe works to promote both consumer privacy and business growth. I like that. TRUSTe has about 2,500 seal-holders in 56 countries; companies that meet TRUSTe's strict guidelines for maintaining consumers' data privacy, e-mail opt-in methods, and disclosure copy for online shopping.

I hope that the executives at Facebook listen to and use the advice TRUSTe is offering.


Who Hackers Will Target In 2008

In his ZDNet Gear For Geeks blog for IT professionals, Adrian Kingsley-Hughes predicts that computer hackers will target in 2008 what Adrian calls the "stupid crowd" since hackers (and identity thieves) follow the path of least resistance:

"The term 'stupid crowd' might seem harsh and unjust, but it’s as good a label as any... The 'stupid crowd' is made up of those users who don’t let anything get in their way when they’re after that funny video, porn, a keygen or pirated movie. The 'stupid crowd' click first and ask questions later (thinking doesn’t seem to factor in the process at any stage)... Anyone who’s had to throw away a PC because it was trashed by malware is a member of the stupid crowd."

Adrian makes some valid points about (home and business) computer users who ignore good computer security habits while surfing the Internet, sending documents, or reading e-mail. However, Adrian has described only one segment of the "stupid crowd."

In the few short months I've written the I've Been Mugged blog, I've read about many corporate data breaches and data security failures... enough so I've concluded that a second (and perhaps larger) segment of the "stupid crowd" includes companies where their senior management and IT professionals implement obsolete data security and data encryption methods, or insufficiently fund effective data security programs. Obviously, the "corporate stupid crowd" includes companies that suffer repeated data breaches.

The "corporate stupid crowd" includes:

  • IT and HR managers who fail to train their employees on effective data security practices, especially regarding the downloading and storing of sensitive data on company laptops
  • Companies that fail to implement data security processes with their contractors... and fail to hold those contractors accountable when data breaches occur
  • IT managers who fail to secure their computer equipment liquidation process
  • Retail companies with obsolete wireless encryption and data security
  • Companies that ignore or fail to comply with Payment Card Industry (PCI) data security standards
  • Companies who have the bad habit of placing profits ahead of data security for the sensitive personal data they archive

We only have 2007 to review to see the companies that are part of the "corporate stupid crowd." To see examples, browse the Data Breaches, Corporate Responsibility, and TJX / TJ Maxx topics in this blog. This flow diagram aptly describes the "corporate stupid crowd" regarding data security and data breaches.

If that's not enough, there's a ZDNet blog that documents the missteps and fumbles of the corporate stupid crowd: IT Project Failures.