Previous month:
January 2009
Next month:
March 2009

23 posts from February 2009

Aladdin's Data Security Predictions For 2009

At the beginning of the year, several bloggers and I shared our ID-theft and data breach predictions for 2009. Last week, Aladdin Knowledge Systems released its Annual Threat Report summarizing data security threats from 2008 and predictions for 2009. Part of Aladdin's predictions: the global financial crisis, real-estate market cratering, and credit crunch will:

"... combine to give the business of eCrime a boost... We see eCrime in 2009 thriving, bringing in more than the "classic" technical employees. eCrime will expand its business model and hiring reach to include the unemployed management level and financial industry professionals."

This means companies should expect, plan, and implement data security systems that address identity theft and data breaches caused by insiders: employees, contractors, and vendors. Aladdin also noted that because more professionals and businesses now use social networking sites, the value of web identities has soared and:

"Reconnaissance and business intelligence with tools such as Paterva's Maltego has become all too easy, and the sheer amount of public data on sites like Facebook, LinkedIn, Bebo and even MySpace make it easier to impersonate, damage or misrepresent a personal or business identity on the Web. We predict that we will see an increase in the amount of Web identity hijacking, and in response, a serious change in the requirements for validating our identities on the Web."

This means that consumers and users of social networking sites will have to be smart about who you connect with, who you give access to your detailed profile, and the profile links you click on. It is wise to contact a "friend" via an alternate method (e.g., phone, e-mail -- or walk down the hall and talk with your coworker or classmate) to verify that the online identity matches the real person, and to verify that the real person did send to you a Friend/connection request, before granting them access to the sensitive personal data in your online profile. Or only use social networking sites that offer effective online identity confirmation features.

Privacy Crusaders. What A Great Name!

Last year, I wrote a detailed series about targeted advertising (a/k/a behavioral advertising or behavioral targeting) programs and secret tests by Internet Service Providers (ISPs) who didn't inform their customers.

In a blog post earlier this month, the Online Communication blog discussed the class-action lawsuit against NebuAd and several ISPs, and called the plaintiffs and their attorneys "Privacy Crusaders." What a great name! And its a pretty accurate description, too.

I look forward to future actions by the Privacy Crusaders. If you want to learn more about the class-action lawsuit against NebuAd and several ISPs, read the complaint online.

3 Arrested in California Medicare Fraud And Identity Theft Case

To me, it's important to congratulate law enforcement when identity thieves are caught. This case is particularly bad because the identity thieves preyed on elder citizens. The San Diego Union-Tribune reported:

"A husband and wife who ran a physical rehabilitation center in San Diego allegedly defrauded Medicare of more than $1.3 million by stealing the identities of seniors and filing false claims under their names, state regulators said yesterday. Sanjay J. Patel, 41, and Leena Bharat Kumar Patel, 36, were arrested yesterday morning at their home in Groton, Conn..."

Here's how the scam worked:

"An alleged accomplice, Librada Santos Comduran, 80, helped recruit seniors to sign blank medical forms and turn over their Medicare beneficiary ID numbers in exchange for $100 payments, according to an affidavit... The Patels used the signed forms and beneficiary numbers to file false Medicare claims through their business, the Balboa Therapy Center in Hillcrest, between July 2005 and June 2006."

Identity thieves come from all backgrounds, places, and ages. Clearly, the identity thieves and fraudsters collected money for services that weren't performed. This case has other implications given the recessionary economy. Unfortunately, one should expect to see more identity theft and fraud cases like this.

Banks And Credit Card Issuers Increase Interest Rates On Consumer Credit Cards

It took a while to calm down so I could write this blog post. About the 13th of February I received a notice from my credit card issuer, Capital One, informing me that the interest rate and other terms for my credit card were all going up:

"At Capital One, we are committed to providing valuable customers like you with honest and open communications. Today, we're notifying you that terms of your Capital One account are changing... Due to extraordinary changes in the economic environment, we're reviewing our existing credit card accounts. Having considered these economic conditions, your account's current Purchase rate, and the length of time you've had this rate and account, we will be increasing your Purchase rate. We're also raising your Cash Advance and Default rates."

This copy seemed so dishonest. If the bank is having difficulty and is losing money with decisions its executives made about asset-backed securities, then say so. This copy makes it sound like the bank is an innocent bystander or victim in this financial and economic mess. The last time I checked, Capital One received about $3.5 billion in bailout money from taxpayers to facilitate credit and lending. The notice didn't mention that fact, or thank us taxpayers for the huge loan. Based on the text in this notice, Capital One is doing the opposite: restricting credit and lending.

More from Capital One's notice:

"The following changes will be effective for all billing periods that begin after April 17, 2009:
Purchase and Balance Transfer Annual Percentage rate (APR): A variable rate equal to 17.9% as of 1/28/2009. Your purchase and balance transfer APR may vary monthly. The rate will be determined by adding 14.65% to the Prime rate."

So, my credit card interest rate is going up from 10% to 17.9%, or more since the rate will be variable. That's a huge increase. I definitely have feeling that I've been mugged.

And why the two conflicting dates? Which date is the correct date: April 17 or January 28? The notice should have been worded more clearly. Consumers shouldn't need a PhD in finance to read a notice from their credit card issuer. More from Capital One's notice:

"Cash Advance Annual Percentage Rate (APR): A variable rate equal to 24.9% as of 1/28/2009. Your cash APR may vary monthly. The rate will be determined by adding 21.65% to the Prime rate."

I'm one of the lucky consumers who is able to pay off my credit card balance every month in full and on time. So, I haven't incurred interest charges on my Capital One credit card since 2004, when I paid off all of my credit cards. With a credit score north of 790 (which is higher than 98% of Americans), my credit is good. I don't do balance transfers and cash purchases with my credit cards. So, while I'm unaffected by the interest rate hikes, it's the principle of the matter that irks me. And other consumers have complained recently about Capital One's rate increase notices.

But not everyone is so fortunate. These huge interest rate increases will hurt a lot of consumers, and make it far more difficult for good customers to continue paying. More from Capital One's notice:

"Default Annual Percentage Rate (APR): A variable rate equal to 29.4% as of 1/28/209. Your default APR may vary monthly. the rate will b determined by adding 26.15% to the Prime rate. If we receive your payment three or more days after your payment due date twice within any 12 billing periods, we may increase your APRs immediately to the above Default APR."

Wow! The bank wants to charge late payers almost 30% interest. How can a consumer ever get ahead with a high interest rate like that. That's robbery. Consider this craziness: in Hong Kong Citibank agreed to limit credit card interest rates to 45%. Can you believe that? 45 freakin' percent! How nice of Citibank! How customer friendly of the bank!

Around the 17th of February, I received a similar notice from Discover Bank. The interest rate and terms for my Discover credit card are going up, too:

"We are changing the Discover Cardmember Agreement. these changes apply to your Account effective for billing periods that end after May 1, 2009... We are modifying the "Default Rates" section to provide that the Default Rate is a variable rate... Each time you do not make a required payment on time (a Default rate Event), we may increase the standard Annual percentage Rate for purchases, balance transfers and cash advances to a variable rate equal to the Prime Rate + up to 27.99%, but such rate will never exceed 29.99% (the "Default rate). At the same time, any special rates on purchases, balance transfers or cash advances will end, and the Default Rate may apply. As of November 28, 2008, the maximum Default Rate would be an Annual Percentage Rate of 29.99%..."

An interest rate near 30%! Can you believe that? Again, I'm one of the lucky consumers who is able to pay off my credit card balance every month in full and on time. So, I haven't incurred interest charges on my Discover credit card since 2004, when I paid off all of my credit cards. But not everyone is so fortunate. These huge interest rate increases will hurt a lot of consumers.

I called my grown son (age 23) to warn him to watch his credit card statements for interest rate increases. I also advised him to pay off his credit card balances as soon as possible, so he doesn't get stuck in a bad situation where his credit card balances rise so fast that he can't pay his debts.

So, what's up with the banks and credit card issuers? Why these notices with huge interest rate increases?

Many consumers would say the banks are doing it because they can.Yesterday's blog post by guest-author Bill Seebeck provided a more detailed explanation. The banks lost money in the asset-backed securities marketplace and are using any means necessary to increase revenues to avoid more financial losses. If that means screwing consumers, so be it.

My list of reasons why banks are raising interest rates so high:

  • Because they can
  • To increase revenues from bad investments and poor decisions by their executives
  • Expecting consumers with credit card balances are unable to pay off those balances before the higher interest rates start
  • Betting that more consumers will be laid off from work during 2009, and those people will run up large credit card balances
  • Greed
  • Comfortable that a compliant Congress won't do anything about it

If there's any good news, neither credit card issuer lowered the limits on my credit cards. That has happened to many consumers already. Will I shop around to switch to credit cards with better terms? You bet.

If you are furious (and I hope that you are) about these huge interest rate increases, I encourage you to contact your elected representatives in Congress and demand strong oversight of the TARP money received by Capital One and other banks. You might also send a letter to Richard D. Fairbank, Chairman and CEO of Capital One Financial Corporation (1680 Capital One Drive, McLean, VA 22102), and politely express your opinion regarding this decision to alienate their strongest customer base. You can also write to David W. Nelms, CEO, Discover Financial Services (2500 Lake Cook Road,
Riverwoods, IL 60015).

If you have received a rate increase notice from your credit card issuer, please share your story below.

If You have a Credit Card: Beware the Ides of March!

[Editor's Note: Today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

While the government and the Congress have been propping up the banks with billions of dollars, the banks have not been spending all their time figuring out how to begin lending again, they have been using the money to contract rather than expand with drastic impact to consumers and the economy.

The banks have assigned just enough staff to create the illusion that they are lending, but in fact they have been hiring hundreds of collection agents, reducing lines of credit, increasing rates for bank charges and in the credit card realm, dumping accounts that always pay on time in favor of accounts that they can push over the edge with more fees and increased debt in an effort to gain more income.

It is fast becoming known in the credit card world that in March the banks will increase rates on millions of customers. The annual percent rates (APR) will change and the consumer once again will take it on the chin big time.

These predatory actions are helping to make it very clear that there is another shoe yet to drop in the banking industry and that is the credit card business.

With the collapse of the asset-backed securities (ABS) marketplace, the banks took a big hit. First, it was with mortgages and now it will be with credit cards. Yes, just like with mortgages, since 1987, banks have been packaging credit card debt and receivables into what is called credit card asset-backed securities.

How does it work?

Over the past 12 months, we have come to know about how mortgages were turned into securities (mortgaged backed securities). The same can pretty much be said for turning credit card debt and receivables into a security (credit card backed securities).

In the credit card model, the bank that issues the credit card bunches up groups of accounts or receivables usually into the form of a bond "backed" by these accounts or receivables and sells them to a trust. In turn, the trust issues securities backed by those receivables.

Now, here is where I believe the process becomes risky.  The bank that issued the card and "sold" the account or receivables still services the account BUT, the assets that were "sold" have been removed from the bank's balance sheet.

Why is that important?

It's important because since the assets are no longer on the bank's balance sheet, the bank can reduce its capital requirements and seek new accounts to make for the ones "removed" from the balance sheet. Capital requirements are the reserves that banks must put aside by law to essentially protect the bank's business. These funds can't be tampered with and must remain on deposit, just in case.

What happens next?

When you, as a credit cardholder pay your bill each month, that money goes into the trust. Those funds are used to pay those that have bought the Credit Card backed securities.

So what happens, if there is a slowdown in people paying on their balances?

Well, as you can imagine, the bank's are in trouble, not only because you owe them money on the balance they have lent you via the card, but also because they have already sold your debt/receivables and there is less money in the trust to pay the investors. Also, when your balances increase, it means that the banks can't add as many new accounts and must maintain larger capital reserves. Not good for them or you.

The Banks and Your Card

Banks want you to use your credit card because it creates more debt/receivables for the bank to use as noted above. The banks do not like cardholders that pay their balances off in full each month because then the bank doesn't get to assess finance charges or to have reason to raise their APR rates.

When the growth of the banks portfolios of card users slows down, the bank looks for other ways to still get what it needs from the card accounts that remain in its portfolio.

One of the ways of doing that is by raising the basic Annual Percentage Rate they are charging on all accounts and then increase all kinds of fees across the board. That is what I believe they will do in March. Further, I believe that the banks will also seek to close accounts that are not producing an ever-increasing amount of fees. It will tell the customer that their basic rate is being raised and give them an opportunity to close their accounts and move elsewhere.

Not a pretty picture folks, but neither was it on March 15, 44 BC, when Julius Caesar went to the Senate.

© 2009 WBSeebeck

[Correction: This blog post was updated March 2, 2009. The prior entry on February 23, 2009 incorrectly included a draft instead of the final version. My sincere apologies to Bill and to I've Been Mugged readers.]

Reengineering U.S. Government, Lou Gerstner, and John Madden

[Editor's Note: Today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

Shortly after the Super Bowl, I was speaking with a life-long friend, Mike Siani, NFL scout, coach and former Oakland Raiders wide receiver. I said, “You know Mike, I always loved when John Madden was your coach and on first downs he would use three wide receivers (Fred Biletnikoff, Siani, and Cliff Branch) and send you all down field for a big gain pass play from QB Ken Stabler.“ (In Mike’s 9-year playing career alone, he averaged some 17 yards after each catch). “Today, most teams are so predictable. They run on the first two downs and then they try the pass on the third down.”

I can still hear it in Madden’s voice today when he says, I’d pass on first down, you’ve got be more aggressive right out of the box. Go for it!

Another person who liked “going for it” in business was Lou Gerstner, the former CEO of IBM. There are at least two things Lou is known for. The first is being bold and the second being successful.

If you are holding an American Express card, chances are it’s because of the way Lou Gerstner changed their card business between 1978 and 1989. If you enjoyed a Nabisco cracker during the Super Bowl, chances are you can thank Lou Gerstner and the fact the IBM is still one of the most successful American companies is definitely because of Mr. G.

His efforts at IBM are well known to me, in part because my business partner, Hunter Grant and I were hired as an outside consultant to review and second-guess their Internet strategy in the mid-1990’s. During that time, we looked at quite a number of projects and found them wanting, not because they didn’t have great people, but because they weren’t current with the rapid changes occurring in the information technology marketplace at the time. In addition, the organization had become so large, that it was getting in its own way in creating new products. Gerstner changed that, but only after instilling in the company a belief that change and a willingness to accept ongoing examination and criticism were good things that could help drive new growth.

It was no surprise to me then when I received my September 18, 2008 edition of BusinessWeek and found that Lou Gerstner had written a great column entitled. “It’s Time To Reengineer U.S. Government”. In this now five-month old article, Gerstner said:

Amid the ongoing turmoil, it seems obvious we must reinvent our government and create an efficient system that can anticipate and avoid major crises. Despite many opportunities, however, this is not a lesson we have taken to heart. Whether the task is fixing health care, upgrading K-12 education, bolstering national security, or a host of other missions, the U.S. is better at patching problems than fixing them. Part of the reason is that we have two parties lacking comity and a sense of shared national responsibility. But beyond the partisan divide, I would argue that the processes of government are broken, preventing us from taking responsible actions.”

In the article, he invited readers to visit and there he said:

“You'll find thousands of directorates, agencies, boards, offices, and services replete with overlapping responsibilities, ancient priorities, and divided accountability.”

He continued:

“We do not need Departments of Commerce, Labor, and Education; we need a single Department of Skills that will promote an integrated approach to global competitiveness. Our military should be trained and structured around missions, not the elements of air, water, and land. That requires fundamental change, but instead, the Defense Dept. has established an overlay of "commands" to compensate for organizational deficiencies. Does it make sense, in 2008, even to have a Bureau of Alcohol, Tobacco, Firearms & Explosives? If so, why is it part of the Treasury Dept.?”

when it gets to the financial sector, Mr. Gerstner stated:

“... the regulatory processes in place are ad hoc and depend on leaders undertaking risky initiatives. Now more than ever, we need a single federal organization to oversee all of our financial institutions.”

In addition to calling for bipartisan action and business cooperation, he suggests the creation of a commission similar to the one established by President Reagan in 1982 that became known as the Grace Commission (named after its chairman and my former boss, the late J. Peter Grace, Jr.) It was this commission that uncovered great government waste. In its final report, the Commission concluded that nearly one-third of all taxes collected by the federal government were squandered through inefficiency. Although, as Mr. Gerstner stated in his article, 2,478 recommendations were made, few were ever tried.

I agree with Lou Gerstner. A government reengineering team should be created, reporting directly to the President. It should be vigorous in its effort to create change not for change sake but because we know that government no longer works. It is a broken system. We are much better off defining new requirements and creating a new government structure, that we can migrate to, one that is lean, flexible and powerful enough to efficiently meet the needs of tomorrow’s citizens.

Come on, don’t be afraid, you’ve got to be more aggressive out of the box. Go for it!

© 2009 WBSeebeck

Facebook Backtracks on Its Terms Of Service

I've Been Mugged readers know that I'm no fan of Facebook. After prior privacy debacles and a class-action lawsuit, I frankly don't trust Facebook to do the right thing. Facebook's latest debacle, as documented in the company's Facebook blog:

"A couple of weeks ago, we revised our terms of use hoping to clarify some parts for our users. Over the past couple of days, we received a lot of questions and comments about the changes and what they mean for people and their information. Based on this feedback, we have decided to return to our previous terms of use while we resolve the issues that people have raised."

Clarify some parts? You gotta be kidding! It was a major bungling. Facebook backtracked after this blog post in The Consumerist:

"Facebook'sterms of service (TOS) used to say that when you closed an account on their network, any rights they claimed to the original content you uploaded would expire. Not anymore. Now, anything you upload to Facebook can be used by Facebook in any way they deem fit, forever, no matter what you do later. Want to close your account? Good for you, but Facebook still has the right to do whatever it wants with your old content. They can even sublicense it if they want."

I read the TOS and agree with this conclusion. Obviously, these new terms are no good for consumers and are incredibly favorable, one-sided terms for Facebook.

A coworker said that she thought that Facebook didn't have any “nefarious” intent. She thought that these issues would become more common place until a legal base line is established regarding user generated content and ownership at social media sites. The bottom line for her is that sites like Facebook need to make money; and are going to make money off consumers' content one way or another. For my coworker, common sense suggests that consumers should consider carefully what personal data they disclose at social media sites.

I disagree with my coworker. Terms don't have to be this one-sided. I would never give up my intellectual property and content rights so easily; and definitely wouldn't give them up without compensation. That's too high a price for any free service. Some have already suggested, and I would be willing to pay a monthly fee to Facebook for terms favorable to my need to maintain control of my content. Facebook makes some money and I have the control I need. That seems fair.

In the ZDNet Between the Lines blog, Sam Diaz raised an even more important reason for consumers to be upset with (or to cancel their membership) Facebook's proposed new Terms of Service:

"We reserve the right, at our sole discretion, to change or delete portions of these Terms at any time without further notice. Your continued use of the Facebook Service after any such changes constitutes your acceptance of the new Terms."

About this sentence in the new Facebook TOS, Diaz then wrote:

"Whoa! You get to change the rules and you don’t have to tell me about it? And just because I log-in again tomorrow - just like I do at some point pretty much every day - means that I agree to the new rules you’ve put in place? How is that fair? After all, this is a social networking site that has built a huge following based on tools for communicating with other people - and you can’t “communicate” to me that you changed the rules?"

I agree. It's not just unfair, it's a bad business practice. As I wrote previously about ISPs that performed stealth targeted advertising programs and failed to notify their customers, consumer notification and opt-out are required. Notification and opt-out are just good business, and they are what consumers demand. Facebook would do well to learn from the mistakes by ISPs. For me, control of my intellectual property and content is a necessity. Facebook could easily offer its customers a choice: free service with terms favorable to Facebook, and paying customers get terms favorable to their need to totally control their content.

Last, my advice for users: be a smart and informed consumer of social media sites. This Facebook debacle should be a strong reminder for consumers to: a) read the terms of service before you register at any web site, especially social media sites, b) avoid social media sites that don't guarantee notification and opt-out mechanisms about their TOS and features, and c) avoid social media sites with one-sided terms about cntent control and ownership.

Two More Class-Action Lawsuits Against Heartland For Lax Data Security

Earlier this week, Bank Info Security reported that two Philadelphia-based law firms had filed class-action suits on behalf of all debit- and credit-card holders in the U.S. who had their data stolen in the Heartland data breach:

"The law firm of Berger & Montague filed a class action suit in the U.S. District Court for the District of New Jersey, alleging Heartland's failure to safeguard cardholder data when the company's computer systems were hacked and cardholder data was stolen... Berger & Montague were also co-lead counsel in the consumer class action suit brought against TJX Companies, which resulted in a $200 million settlement. The third class action lawsuit filed in February against Heartland comes from Sheller P.C. of Philadelphia, PA. Sheller's suit against Heartland has similar charges against the payment processor. Sheller P.C. also filed its class action lawsuit in the U.S. District Court for the District of New Jersey."

According to various news reports, Heartland announced on January 20, 2009 that the sensitive financial information that it handles was stolen: consumers' names, credit card and debit card numbers, and expiration dates. The breach occurred sometime during 2008 when malicious software was installed on Heartland's computer network. Heartland said that it processed about 100 million card transactions per month during 2008, but an unknown number of cards were affected by the breach. Fraudulent activity has already occurred on some of those cards.

This data breach was massive. So far, about 330 financial institutions have reported their customers' cards were compromised because of the breach. Those cards must be replaced, old accounts closed, and new replacement accounts opened. All of this costs money and somebody will pay -- hopefully Heartland.

When companies fail to adequately protect consumers' sensitive personal data, there are several consequences. One consequence: consumers can stop shopping at that company, provided it is a retailer. When the company isn't a retailer, other consequences can be applied, such as a class-action lawsuit. Kudos to both Berger & Montague and Sheller PC.

Clickjacking: What It Is And How To Protect Yourself

I first read about this last year in the ZD Net Zero Day blog. At that time, there wasn't much data to go on. But the article provided a good definition of clickjacking:

"In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch."

Well, that sounds scary enough. All kinds of funky things can happen when you visit a malicious site, or a site infected with malware. I'm glad that I use McAfee SiteAdvisor to help me avoid malicious web sites. It's not bullet-proof, but I'll take all the protection I can get.

Recently, I saw this "Does Your Browser Prevent Clickjacking?" article at the Internet News site:

"One of the features in the IE 8 Release Candidate 1 includes technology that is supposed to help prevent Clickjacking. The claim has one of the principal discovers of Clickjacking raising some questions over the problem and how to prevent it with browsers. Although Clickjacking attacks have not yet been widely reported..."

How the anti-clickjacking feature in IE8 is supposed to work:

"The core of IE 8's Clickjacking protection focuses on enabling Web developers to specify and restrict which content on their site can't be broken out and framed by another site. It's a technique known as frame-busting and can also be implemented by developers using javascript code on their sites that restrict frame usage. The IE 8 approach is a different method for frame busting."

I really don't want to know how it works. I just want an effective fix. Geez. Seems like every week there's a new "feature" on the Internet.

FEMA Data Breach, Secrecy, And ID Experts Helps With FEMA's Breach Response (Part Two)

The previous post explained the FEMA data breach. For its breach victims, FEMA arranged credit monitoring and identity restoration services from ID Experts. I visited the site for FEMA breach victims, and noticed:

  • 18 months of free ID Experts membership
  • Membership includes online access to useful tools and information about identity theft
  • Membership includes full recovery services and loss reimbursement for consumers who experience identity fraud
  • ID Experts will provide fraud victims with their "own Recovery Advocate" for assistance with fixing damage done to their identity, finances, and bank accounts
  • The site encourages breach victims to place a Fraud Alert on their credit reports at the three major credit-reporting agencies

This is a good start. The 18 months of free credit monitoring and recovery services is longer than the 12 months IBM arranged with Kroll after the February 2007 IBM data breach. It should be even longer -- probably 5 to 10 years -- since the exposure and risk of identity fraud doesn't magically stop at 18 months.

Breach victims should be aware of the limitations to the breach responses services FEMA arranged with ID Experts:

  • The "FraudStop Breach Edition Credit Monitoring Terms Of Service (TOS)" contains important details. Unfortunately, this document is buried in the Enrollment Page, making it difficult for consumers to find important details. Not good.
  • Not all expenses are covered: "Allowable expenses" means those incurred by you and fitting the definition of "costs" as set forth in the Personal Internet and Identity Coverage Insurance Policy ("PIIC") issued by American International Specialty Lines Insurance Company." The PIIC document is available online, but can be difficult to find since it is appended to the end of the TOS document.
  • Insurance limits are $30,000 with a maximum of $7,500 per week for list wages with a 4-week maximum. Covered expenses include costs, "... in the United States for re-filing applications for loans, grants or other credit instruments that are rejected solely as a result of a stolen identity event... for notarizing affidavits or other similar documents, long distance telephone calls and postage solely as a result of your efforts to report a stolen identity event and/or amend or rectify records as to your true name or identity as a result of a stolen identity event... Actual lost wages that would have been earned in the United States... for time reasonably and necessarily taken off work and away from the insured's work premises solely as a result of the insured's efforts to amend or rectify records as to the insured's true name or identity as a result of a stolen identity event. Actual lost wages includes remuneration for vacation days, discretionary days, floating holidays, and paid personal days and excludes business interruption or future earnings of a self-employed professional... limited to wages lost within 12 months after the insured's discovery of a stolen identity event."
  • While legal defense fees and expenses are covered, ID Experts must approve the attorney used
  • While the plan covers costs to retrieve credit reports from other agencies besides TransUnion, there are limits: "...up to six credit reports from established credit bureaus (with no more than two reports from any one credit bureau)"
  • Services cover only the individual. Services do not cover spouse or children.
  • Online credit monitoring alerts include only credit reports from TransUnion: "You may choose to receive a credit report and weekly notification of changes to your credit report from TransUnion. We provide a link in the Member Services section of our Web site to sign up for these included credit services." Consumers should be aware that weekly notification covers only their credit report at TransUnion and excludes credit reports from Equifax and Experian. Plus, weekly notification may not be frequent enough for some consumers.
  • Credit recovery services cover fraud while the breach victim is enrolled in the ID Experts service. Fraud events that occurred prior to enrollment may not be covered.
  • ID Experts will coordinate services with another ID-theft insurance plan, but requires the other company to make reimbursements first: "The Program's lost income and expense reimbursement services are available to you even if you have identity theft insurance with another company... if you become a victim of an Identity Theft Event, you must seek reimbursement from that company first, up to its policy limits. Then, if you do not receive full reimbursement of your expenses and lost income associated with the recovery process under that coverage, you would be eligible to receive the difference, up to the limits of and subject to the terms and conditions of the PIIC Policy."
  • Like any other insurance plan, there are time limits when filing claims

Should a FEMA breach victim accept this credit monitoring and recovery services offer from ID Experts? It depends based upon the consumer's specific situation. Breach victims who also become fraud victims will need the recovery services from ID Experts, or from a comparable service. The weekly online alerts may not be fast enough for consumers experiencing active fraud. The TransUnion-only alert coverage may not be enough for many consumers who need to apply for credit when lenders use credit reports from Experian and Equifax.

Breach victims who already have a credit monitoring service and ID-theft insurance in place should compare both services to see if the FEMA-arranged offer with ID Experts is better. If that describes your situation, then only you can make that comparison.

FEMA Data Breach, Secrecy, And ID Experts Helps With FEMA's Breach Response (Part One)

In December 2008, the Federal Emergency Management Agency (FEMA) issued a press release about its data breach after a consumer:

"... notified FEMA that their personal information pertaining to Hurricane Katrina was posted on the internet. FEMA took immediate and aggressive action to verify that the information posted was indeed tied to FEMA applicants from Hurricane Katrina. FEMA swiftly contacted the website hosting the private information, and worked with them to have this private information removed from public view. Additionally, FEMA identified a second website posting the same information. We also contacted this second website and worked with them to have the private information removed from public view."

The breach affected about 17,000 consumers, and included sensitive consumer data:

"The information posted to the sites... included applicant names, social security numbers, addresses, telephone numbers, email addresses and other disaster information regarding disaster applicants from Hurricane Katrina who had evacuated to Texas. Katrina evacuees listed were from across the Gulf Coast."

FEMA learned about the data breach on December 16 and issued the press release on December 19. That's fast and good. However, much of the press release includes an attempt by FEMA to place blame for the breach on an unnamed state agency:

"... social security information was not in the same format as what would be provided by NEMIS [a FEMA database]. There were also fields that are foreign to the information maintained by FEMA. FEMA believes that most of the applicant information posted on the websites was properly released by FEMA to a state agency which requested and received this information to fulfill routine needs following Hurricane Katrina."

What's with the C-Y-A explanation? Consumers want and need to know two things: a) what is FEMA doing to help breach victims, and b) what are FEMA and the state agency doing to prevent future breaches like this one. Sensitive consumer data has been exposed and no amount of C-Y-A is going to change that. The FEMA press release explains some of "a" and none of "b." Not good.

Nor does the press release disclose the specific state agency involved. Not good. Why the secrecy? Consumers need to know which state agency and that FEMA is working with that state agency to ensure adequate data security so that another breach by a state agency doesn't happen again. Ditch the secrecy and just tell consumers what they need to know with transparency. And keep consumers informed with updated status of the breach investigation.

If the state agency can't comply with reasonable and currently established data security methods, then consumers need to know that. And FEMA needs to an alternative state agency. The secrecy doesn't help anyone.

Tomorrow: a look at the breach response and credit monitoring service FEMA arranged.

Temp Worker Arrested For Identity Theft At Health Agency

When consumers visit the doctor for a flu shot, they don't expect that a doctor's visit will expose them to identity theft. However, that was what happened in this Charlestown, West Virginia health agency. The Charleston Gazette reported:

"The Kanawha-Charleston Health Department is sending 1,000 letters to people who received flu shots from the agency between Oct. 1 and Dec. 31, warning them that their personal information might have been stolen by a former department temporary worker. Jameelah Jossiah, 24, a former flu clinic medical billing clerk, was charged with computer fraud after allegedly making a $400 purchase at the South Charleston Wal-Mart with a credit card obtained illegally under the name of a woman who received a flu shot from the Health Department last fall."

Like I've written previously, identity thieves are smart, crafty, and persistent. They will use stolen data as long as it has value. Think of identity thieves as financial terrorists. The good news in this case:

"After searching Jossiah's home ... detectives found a handwritten list of about 14 flu-shot recipients, including their names, Social Security numbers, birth dates, addresses and other personal information..."

The good news: the thief was caught. This may not seem like a big deal to consumers, since it was a small data breach -- not millions of records at a corporate data breaches. But if your data is one of the ones stolen, it was a big deal. Data breach victims must spend significant time and money monitoring their financial accounts for fraud, and fixing the damage.

An alert consumer tipped off law enforcement:

"In December, the Kanawha Sheriff's Department received a report from a woman who said her identity had been stolen... The woman discovered that someone had obtained a Chase bank credit card in her name. Several purchases were made on the card, including the $400 purchase at Wal-Mart."

Sheriff's detectives caught Jossiah after reviewing WalMart surveillance video. The detectives were aware of the theft because a consumer reported it. I'd like to thank law enforcement for accepting the consumer's identity theft report, and then following up on it. Too often, local law enforcement doesn't.

And, I'd like to thank the consumer who reported the fraud to law enforcement. This fraud case should be a reminder to all consumers of the importance of reporting identity theft and fraud to both local law enforcement and to the FTC. Reporting fraud works. It helps catch identity thieves.

When I read a news report like this, there are some unanswered questions:

  • Is 14 the total amount of stolen identities?
  • Did Jossiah sell stolen identities to others?
  • Jossiah worked in the Health Department as a billing clerk for about three months. That's plenty of time to steal more than 14 identities. And, it is important for companies to identify the number of stolen identities. They often don't know and find it difficult afterward to determine.

This fraud case should be a warning to both medium- and small businesses everywhere. Their data security is only as good as the weakest link. And, that weak link can be temporary workers with access to the sensitive personal data of employees, former employees, and customers. Companies must train their employees to practice good data security habits and to monitor the work of temps and contractors. Companies must thoroughly screen temporary workers, and report fraud to local law enforcement.

The question is: how many more Jameelah Jossiahs are out there?

Massachusetts Gets Tough On Data Security (Part Two)

Yesterday's post discussed new legislation to protect Massachusetts residents. As you might expect, some businesses have protested the changes. Forbes Magazine reported:

"Massachusetts business owners and advocates protested new identity theft regulations at a hearing, saying the rules to protect customers' credit card numbers and personal information will be too costly and time-consuming in a down economy. The Office of Consumer Affairs and Business Regulation hearing was about again extending deadlines for the rules, which require businesses to encrypt laptops, wirelessly transmitted data and consumers' financial and personal information."

The complaints are ones you'd expect to hear:

"... the identity theft law will impede interstate commerce, hurt job creation, and cost too much for small businesses who have to hire outside technology support and upgrade their systems."

Some experts estimated the cost at $50,000 for a small business to comply with the new law. The Massachusetts Government estimated the cost at $10,000 for operation and maintenance in the first year. The companies asked the Massachusetts Government to reissue new regulations on May 1, 2009 and give them two years to comply.

Two years? I can see some foot-dragging due to the recessionary economy. However, business-as-usual just won't work. 2008 saw a record number of data breach incidents and records lost or stolen. And that's based on the fact that about 75 percent of companies release the number of records stolen or consumers affected. So, the real numbers are worse.

Plus, the cost of a data breach is rising significantly. These small businesses should compare the cost of compliance to the post-data-breach costs. $50,000 may seem like a lot, but at a $202 post-data breach cost per record, the break-even is only 248 records. Most small businesses probably have more than 248 customers. So, it is less costly for a small business to avoid data breaches by implementing strong data security now, rather than gamble with consumers' sensitive personal data and incur large post-data breach costs later.

Companies have to take responsibility for protecting consumers' sensitive personal data they use and archive: customers, employees, and former employees. While small businesses do not have the resources that large, multinational companies have to implement effective data security methods, business-as-usual won't work. Consumers have even less resources to protect their sensitive data, to pay for credit monitoring ($12 per month or more) and credit repair services (rates vary) after a data breach, and to pay fees to place and life Security Freezes ($5 - 10 per instance) on their credit reports. Plus, many consumers are unemployed.

Business has to pick up its rightful share of implementing data security methods, since they make money by using consumers' data. If this concerns you (and I hope that it does), I encourage you to write to your elected officials and tell them no more delays for small businesses to comply with the new data security laws.

Massachusetts Gets Tough On Data Security (Part One)

Changes are coming to Massachusetts businesses. Bank Systems & Technology reported:

"... come May 1, [companies and banks] will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security. The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope... They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information."

There are several personal data items consumers must protect. Companies and banks keep a wide range of sensitive data about consumers (e.g., customers, employees, contractors, and former employees) which they don't always protect. What makes the Massachusetts law stricter:

"... companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled. The rules also extend to entities' service providers and the degree to which they too much show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules."

Now that's a law I like. Clear data security protections for consumers. There's more:

"Under the rules, companies have a duty to monitor their security programs on an ongoing basis... The safeguards in the program must be administrative, technical and physical in nature. Entities will be required to identify all records used to store personal information... Businesses must also identify and assess both internal and external risks to the organization. Once these steps are completed, they must then evaluate (and improve, if necessary) the safeguards in place around such areas as employee training and physical security... companies will be obligated to limit the collection and use of personal information. They must identify the purposes for which they collect this kind of information and identify how long the wish to keep it and who can access it."

Since so many company data breaches have involved laptop computers and flash drives, the rules also cover employee training and:

"Companies will be required to encrypt data that is not only stored but also when it is being transmitted over networks or physically moved as when an employees take a laptop home."

Amen. That's pretty good legislation which covers most of the problem areas that cause data breaches. However, I would have liked to have seen specific protections in the legislation about RFID, and jail time for executives at companies that don't comply or experience repeated data breaches.

I encourage Massachusetts residents to write to their elected officials and thank them for these new data security. I encourage residents in other states to ask their elected officials what they are doing about data security so their state does not fall behind Massachusetts.

War! What Is It Good For? Absolutely Nothing!

[Editor's Note: Today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

I think Ed Starr was on to something when he sang out the words of this popular anti-war song in 1970.

This was confirmed by my college economics professor, Dr. Emily Sun, who observed that no nation could sustain itself for long periods of time on a wartime economy. Simply put, Dr. Sun would say, when you invest in war there is no direct economic return. I mean if you buy chickens, you will have eggs for breakfast and ultimately, roast chicken for dinner. When you buy bullets, you get spent cartridges.

It seems that President Reagan understood this concept as it is generally acknowledged that his administration engaged in a military spending competition with the Soviet Union, such that their economy could not sustain the effort against the U.S. and ultimately collapsed taking communism with it.

However, the war in Iraq has been the longest engagement by the United States in daily combat in its history. It has also cost the American people close to two trillion dollars, the lives of thousands on both sides and helped wreck our economy.

Somehow we didn’t understand the implications of the Reagan plan well enough.

So, here we are deep in the deepest financial crisis in our history and we cannot ignore the great challenge that confronts us, as a result of our strategic, foreign and military policies.

Economics alone dictate that we disengage as soon as possible. Military sense dictates that our forces have been “punished” by continuous deployments with most serious long-range implications as to the type of force available to us for the future.

So what do we do?

Experience in the region tells me that we should acknowledge that we are willing to maintain supportive relationships with governments that are not religiously driven. We should further acknowledge that many countries that are ruled by religious bodies have a poor view of the West and as long as they make no designs on the United States, we should have no designs or interest in them.

With regard to Iraq, I believe that as long as civilians run their government, we will support their efforts to further modernity and that would include a joint military assistance program. As for Afghanistan, I believe that unless and until we have a very broad, disciplined and honest relationship with Pakistan, that we should forgo further interests in a country long dominated by war-lords with an agricultural economy focused around one product – heroin.

In the short term, we should remove our troops from both Iraq and Afghanistan. In our own self interest, we should make sure that the pipelines of oil that fuel our economies in the west are maintained without interruption through whatever needs required. As for the terrorists that attacked us, they should never have rest from our vigilance.

What's your opinion? I hope that you will share it below and with your elected officials.

© 2009 WBSeebeck

Oil, Oil, Oil - What Should the Price Be?

[Editor's Note: Today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

Before we begin, remember that before there was the cost of oil, there was coal; before coal it was wood, and somewhere in between there was natural gas, not to mention electricity. And who knows in the future, we may be complaining about windmill rates.

The reality is that there is some purpose to almost every form of energy, although the man made one – nuclear seems to always be a problem because it can also be used to breed a weapon and we don’t know how to protect ourselves and our environment from its most toxic waste.

Back to oil. Well, we, the public, have been dealing with the price of oil in one way or another for the last eight years and it hasn’t been pleasant. If we didn’t know it before, we now know that it can wreck a home budget overnight, can do the same to the travel and hotel industry, not to mention the cost of food, and every other product, good or service we consume. Yes, not having a fix on oil will keep us rocking as we begin the hard work of putting the economy back in balance.

So, what should be the real price of oil?

Well, news agencies are reporting that OPEC wants a price of $75 a barrel. That would mean that the price at the pump would be closer to $3 a gallon. For those nations that are listening, I can tell you that $3 is too much and won’t work here in America. Sounds like I’m negotiating a price? Well, I am and I think we can negotiate a price or a price range that is acceptable to our economy and to OPEC.

Last year, the chairman of the National Bank of Kuwait suggested that the price range might be in the $35-$50 range. At the pump, that would mean a price not higher than around $2.25 per gallon. Even that is high but closer to reasonable given our current situation. What would work is around where the price has been over the last 60 days, somewhere between $30 and $45 per barrel. That would keep the pump cost below $2.00. The price needs to be kept below two dollars per gallon.

Now at that price, do the OPEC countries make money? Yes, they do. In a variety of interviews at the close of 2008, it was reported that the cost of oil at the wellhead in the Gulf was still around $2.00, which it has been for some time. When you add costs, expense is around $18.00-$20.00 a barrel, OPEC will still be making a profit margin of 50-100%. That is more than fair.

From my time in Saudi Arabia working with a company that had a major American oil concession, I learned that the companies make a profit, but collectively, it might not be enough to meet their own government’s budget needs. That to me is a whole other situation. I think that it is important that our government actively work to seek some level of stability in oil prices so that we all can better plan our lives in an effort to make a more predictable recovery.

What's your opinion? Are you tired of being "mugged" at the gas pump? I hope that you will contact your elected officials and tell them that stable oil prices need to be a priority.

© 2009 WBSeebeck

10 Things You Should Never Write In An E-mail Or Instant Message (Twitter Message, Too!)

An interesting and slightly humorous CIO Magazine article listed ten things you should never include in an e-mail message or an instant message. I guess that given the Enron debacle, the Madoff ponzi scam, the Satyam fraud, and several other unethical events by senior corporate managers, the editors at CIO Magazine felt it necessary to write this article. The list:

1. "I could get into trouble for telling you this, but..."
2. "Delete this e-mail immediately."
3. "I really shouldn't put this in writing."
4. "Don't tell So-and-So." Or, "Don't send this to So-and-So."
5. "She/He/They will never find out."
6. "We're going to do this differently than normal."
7. "I don't think I am supposed to know this, but..."
8. "I don't want to discuss this in e-mail. Please give me a call."
9. "Don't ask. You don't want to know."
10. "Is this actually legal?"

These seem so obvious, you'd think that an executive wouldn't need to be warned. This can get you into big trouble:

"You could get fired if your employer finds out you've shared confidential information over e-mail or IM... Even if you've just used your e-mail to share what you think is a funny forward or to let off some steam about a manager or co-worker, you could get canned for that too... especially if someone else has filed a sexual harassment or hostile work environment claim against you. Then, that "funny" e-mail you sent or the e-mail in which you let off some steam could be used as evidence against you."

Since so many companies experience data breaches every month, I thought that I would add ten more items to the list of things you should never write in an e-mail/IM message:

11. "Here are Social Security Numbers, names, and..."
12. "She won't notice. She hasn't accessed her 401-k in years."
13. "To work at home, I copied 15,000 customer records onto a flash drive..."
14. "The system sign-in ID and password are..."
15. "Customer A's credit card number is..."
16. "The attached spreadsheet file contains profiles of our top customers..."
16. "I used real customer data to QA this new application...."
17. "Minimize costs. Get the cheapest credit monitoring service vendor..."
18. "I downloaded 15,000 customer records onto my laptop..."
19. "What new data security laws for our state?"
20. "We don't encrypt wireless transmissions..."

Does this list apply also to Twitter posts? Definitely. Plus, Twitter posts are even more public than e-mail or IM. Your personal twitter feed may be private, but once you grant access to it by other Twitter users, your Tweets are public -- out there permanently for all to see, copy, and forward.

Study Finds That Consumers Fear Mobile Banking Security Threats

While many companies and web sites are rushing to implement mobile applications, I think that it is important to look at the facts. According to The Paypers, a news organization that covers the global payments industry:

"A recent study seeking to assess the main obstacles to mobile banking adoption indicates that [U.S.] consumers regard security as the main concern which prevents them from engaging in mobile transactions.... Another widespread opinion among consumers who chose not to sign up for mobile banking is the fact that since mobile transactions are not yet mainstream, mobile banking services providers cannot anticipate the type of attacks fraudsters could launch against users once mobile banking adoption rates climb."

Sounds to me like consumers are using a healthy dose of skepticism, similar to choosing not to buy the first year of a new auto model. Past experience and product recalls has proven to consumers that it takes time for auto manufacturers to get the bugs out of a new cars. It seems that consumers have judged that the same applies to banks and financial institutions.

This skepticism seems logical to me also because consumers have already experienced numerous phishing attacks via e-mail on desktop and laptop computers. Plus, consumers are wary given the financial and mortgage mess on Wall Street, and data breaches at leading banks, including TD Ameritrade, Bank of America, and Bank of New York Mellon). Mobile banking executives should tattoo on their foreheads: trust is earned, not automatic.

So, consumers choose to wait for banks to straighten out the data security issues first, then sign up for mobile banking. The article also reported:

"Thus, 73 percent of consumers fear hackers can remotely access their phones, 68 percent of interviewees are concerned sensitive mobile banking data can be stolen using a wireless signal despite encryption, and 54 percent of consumers worry that their mobile phones can be stolen. The same study points out that all the major US mobile banking platform vendors offer authentication tools which comply with the standards set out by the Federal Financial Institutions Examination Council (FFIEC), however 56 percent of them have not implemented strong authentication systems for their mobile banking platforms."

Javelin Strategy & Research, a financial services market research company, conducted the study.