Previous month:
July 2009
Next month:
September 2009

21 posts from August 2009

Lifelock And The Credit Monitoring Industry Struggle To Protect Consumers

This past weekend, Todd Davis, Lifelock's Chairman and CEO, announced in a video message the company's intention to release new services during the coming weeks. This was prompted by a court ruled in May 2009 in favor of Experian to stop companies like Lifelock from setting Fraud Alerts on behalf of its customers. Lifelock had appealed the decision.

In February 2008, I've Been Mugged reported the Experian v. Lifelock lawsuit. The fight between Experian and Lifelock was like two five-year-old kids arguing over who gets the last brownie on the kitchen table while there is a fire burning in the living room. There are bigger issues. Fraud Alerts are a relatively weak tool, since it doesn't force lenders to contact consumers. Credit monitoring service that include a Fraud Alert tool still do not stop:

To be clear, I am no fan of Lifelock. Much of what the company charges for, consumers can (and should) do for themselves for free. In April of 2008 Consumer Reports gave Lifelock a less than stellar review.

However, on one point Davis and I agree. This court ruling is a setback for consumers. It limits choice in the marketplace at a time when data breaches and identity theft have increased. The ruling means that consumers must go directly to Experian (and other credit reporting agencies) to establish a Fraud Alert.

It will be interesting to hear during the coming weeks about Lifelock's new services. Hopefully, the company has done its homework and developed a set of truly innovative and more comprehensive identity protection tools.

It is in consumers' best interest for a comprehensive identity protection service. Why? Many consumers I've talked with have no idea what to do about identity after their sensitive personal data has been stolen. Many consumers need all the help they can get. Few know the difference between credit monitoring and credit restoration. Few understand the limitations (e.g., see the bullet list above) with credit monitoring services. Then, it's a rush to learn what to do to protect themselves, and establish some preliminary protections.

It is sad that the identity protection industry so fragmented and disorganized.

There's a gap in the marketplace and a truly comprehensive identity protection service would go a long way towards helping consumers. The credit reporting agencies don't offer a comprehensive service; they focus narrowly on monitoring (usually their own) credit reports, and providing credit scores. Regional credit reporting agencies are essentially ignored, along with insurance reporting services like ChoiceTrust.

All of these regional credit reporting and insurance companies' reports are high-value targets by identity criminals. The credit monitoring services by independent companies are somewhat better than the credit reporting agencies' service, but that is not a high bar to leap. As I wrote in May 2009:

Since I started this blog, I have searched for a truly comprehensive identity protection service, which should include:

  • Unlimited access to the full text of all of my credit reports from both the major credit reporting agencies and from the smaller, regional credit reporting agencies (e.g., Innovis)
  • Unlimited access to the full text of all of my C.L.U.E. insurance reports
  • Unlimited access to the full text of all of my sensitive personal medical information
  • Monitoring of my identity across social networking sites
  • Instant e-mail, text messaging, Twitter, or RSS alerts about status changes to any of the above
  • Tools and calculators to help me evaluate these reports
  • The ability for to customize alerts based on my individual needs
  • Options to add Fraud Alerts to any or all of the above reports
  • Options to add Security Freezes to any or all of the above reports
  • Criminal fraud monitoring (if my identity is used by thieves during a crime)
  • Identity fraud assistance when traveling outside the USA
  • Identity resolution services and insurance for all of the above reports
  • 24/7, and easy access to a real person in customer service via phone
  • Arrangements with employers so that after a data breach, I get reimbursed for my monthly fee for this service, rather than receive an offer for another credit monitoring service I don't need

Consumers can't get all of the above. To get large portions of it, you'd have to cobble together at least five or six different services. The Experian v. Lifelock court ruling adds to the problem, since Fraud Alerts will now be available only at the major credit reporting agencies.

It shouldn't be this hard for consumers. Maybe Lifelock has tackled this problem with their new services. We shall see during the coming weeks, and I've Been Mugged will report on it.

Fact Check The Messages In Your E-mail In-Box Before Forwarding

A few days ago, an acquaintance in Atlanta (who is a doctor) forwarded this e-mail message to me:


It does not matter if you personally like or dislike Obama. You need to sign this petition and flood his e-mail box with e-mails that tell him that, even if the House passes this bill, he needs to veto it. It is already impossible to live on Social Security alone. If the government gives benefits to 'illegal' aliens who have never contributed, where does that leave those of us who have paid into Social Security all our working lives? As stated below, the Senate voted this week to allow 'illegal' aliens access to Social Security benefits. Attached is an opportunity to sign a petition that requires citizenship for eligibility to that social service. Instructions are below. If you don't forward the petition and just stop it, we will lose all these names. If you do not want to sign it, please just forward it to everyone you know. To add your name, click on 'forward'. Address it to all of your email correspondents, add your name to the list and send it on. When the petition hits 1,000, send it to [email protected] .

Dear Mr. President:
We, the undersigned, protest the bill that the Senate voted on recently which would allow illegal aliens to access our Social Security. We demand that you and all Congressional representatives require citizenship as a pre-requisite for social services in the United States. We further demand that there not be any amnesty give n to illegal aliens, NO free services, no funding, no payments to and for illegal immigrants.
[Names redacted]"

My acquaintance wanted to know what I thought of this message, and if the e-mail message is accurate. First, understand that I am all for citizen participation in a democracy. And that includes petitions.

When I receive an e-mail message like this, I try to verify its accuracy and authenticity. One way I do this is to see if the e-mail message includes any references and/or citations. The citation could be the formal bill number and/or a web site address. Bills written in the U.S. Congress have an HR-xxx number, and bills written in the U.S. Senate have a S-xxx number. This is how everyone tracks Federal legislation, and it assumes you know how the legislative process works. For a complete list of resolution and bill prefixes, see this U.S. Senate site page.

The e-mail message above didn't include a date, any references to bill numbers, any links to Web site pages by the sponsor of the petition, or to related news articles. Maybe this information was deleted as multiple people forwarded the message. Regardless, the message I received didn't provide any means to evaluate the petition's accuracy and authenticity. Hence, this e-mail message is garbage, in my opinion, and I deleted it after sending a reply to my acquaintance.

As a last resort, I suggested that my acquaintance check, which does a good job of analyzing and debunking the hoaxes and fictitious e-mail messages. Maybe has analyzed this email message. I felt that the message was not worth me wasting any more time on it.

After thinking about this some more, I began to wonder if messages like this are slick attempts at e-mail harvesting.

I also wonder about the thinly disguised bigotry in the message, since it targets undocumented workers in the USA, and not the companies that hire them without perform adequate and sincere background checks. Yes, people who immigrate illegally into the USA often use stolen identification papers in order to gain employment. That usually means using another person's Social Security number (SSN) to get paid. There are severe consequences for a consumer when another person uses your SSN.

This situation is good and bad news. While these undocument workers are working illegally, they pay into Social Security, local taxes, and Federal taxes. Our state and local governments seem happy to receive this tax revenue. The bad news is for the victims -- the consumers whose SSN's are being used by two people. It places the burden on the victims to prove the fraud. Citizens are already urged to check our annual Social Security Statements for fraud, which is a dubious data security process at best. Experts state that this method won't catch all SSN fraud.

In my opinion, the USA needs a better, more secure process for creating, administering, and securing Social Security numbers. A couple computer scientists should not be able to create real Social Security numbers using mathematical formulas. It also means holding companies responsible to perform adequate background checks when hiring workers.

Currently, there is no effective way for citizens to protect their SSN from abuse. The only thing you can do is monitor you annual social security statement and if the salary in that does not match what you earned last year, then it's a good chance another person is using your SSN. At that point, you need local law enforcement and a lawyer to help you resolve and unravel things.

There has to be a better way than this current approach. We citizens should demand that of our legislators. That is a more important issue. It's about the integrity of the Social Security system.

IBM Experiences Another Data Breach

IBM logo IBM's February 2007 data breach exposed the personal information of all of its employees and former employees. China Tech News reported that the sensitive personal information of 1,000 IBM Shenzhen employees was disclosed by a supplier in China:

"Some IBM employees in Dalian reportedly were also victims of this identity theft scam. A Beijing-based company, which is one of the suppliers of IBM, had allegedly applied for the credit cards, which is called Foreign Enterprise Joint Name Card. Though the BOC outlet stated that it did not issue the credit cards since there were no signatures of the employees on the application forms, one of the employees from IBM said that his card had already been used."

According to Forbes Magazine, IBM moved its global procurement headquarters to Shenzhen, China in 2006. This was the first time the headquarters of a corporate-wide IBM division has been moved outside the USA. IBM reportedly has about 3,000 suppliers across Asia and employees in about 60 countries.

You'd think that by now IBM, a company that is frequently hired by other companies as a consultant about data breaches and computer security, would have this breach and supplier security situation figured out -- that it just wouldn't happen to IBM.

Just like in 2007, IBM is tight-lipped when it comes to details. IBM says it is investigating the latest breach and won't release the name of the supplier. In 2007, IBM never disclosed the name of its supplier, nor the results of its breach investigation. In 2007, IBM offered its breach victims 12 months of free credit monitoring with Kroll.

This week, IBM's X-Force released its 2009 Mid-Year Trend and Risk Report about the threats that affect Internet security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber criminal activity. Several news media sources, including Internet News, ran the following quote about the report:

" 'The trends highlighted by the report seem to indicate that the Internet has finally taken on the characteristics of the Wild West where no one is to be trusted,' said IBM X-Force Director Kris Lamb."

IBM should have added its supplier data breaches to the list of threats. Trust nobody indeed. Don't trust IBM either.

Capital One Wants To Decide What's In My Wallet

Way back in February 2009, I wrote about the Capital One notification I received about a huge interest rate increase on my Visa credit card. Back then, guest author Bill Seebeck also wrote about the huge interest rate increases the banks and credit card issuers were implementing.

Last weekend, I received a letter from P. Taylor Jamison, the Director of Accounts at Capital One:

"Dear George Jenkins,

Ready to enjoy more buying power? Well, grab your shopping list and your Capital One card because: Your credit line has been increased by $5,000.00... If you want to unload some higher interest rate balances and possibly enjoy more time and money for yourself, well -- your new credit line can help with that, too. You decide... Thanks for being our customer. We hope you enjoy your new credit line increase!"

Well, I sincerely appreciate Capital One for extending me more credit. I didn't ask for the credit line increase, but Capital One seems happy to provide it and decide what amount of credit is in my wallet. I guess that the Obama Administration's bailout program money (Capital One received $3.5 billion) is finally flowing to consumers... 6+ months later.

Unload higher rate balances? My Capital One Visa interest rate (17%) is the highest rates I have. I don't have any loans nor credit card balances with higher interest rates. So, there's nothing for me to transfer or unload.

On Monday I called the Capital One Customer Service to see if they could really help me. A very nice woman, Alina answered the phone. I asked Alina to reduce my credit line since I don't need $8,000.0 amount of credit. I sincerely appreciate the increase, but don't need that much credit. Alina was very polite and adjusted my credit line immediately.

While discussing this, I asked Alina to reduce my interest rate also, since Capital One obviously considers me a good customer. Alina said that she couldn't lower my interest rate and that I'd have to speak with a supervisor.

A couple minutes later the supervisor, Carol, joined the phone call. I repeated my request to see what Capital One could do for me, like a lower interest rate instead of the higher credit limit I didn't need. I reminded Carol that Capital One had increased my Visa interest rate in March by a lot, and a point or two reduction now would mean a lot.

I added that the higher rate has scared me from using my Capital One Visa credit card. Their card is basically no longer in my wallet.

Carol seemed to understand and empathized. After checking her files, she said that while I have been a good customer since 1994 Capital One wouldn't lower my interest rate at this time. Maybe a lower rate in the future. She said she could convert my card to a Rewards card with either frequent-flyer miles or 1% cash back. I thanked her for the Reward offer and replied that I'd keep using my Discover card since it pays me 5% cash back.

My point for sharing this story: we consumers decide what's in our wallets (and purses). Given the high interest rate and low cash-back payments, my Capital One Visa is not in my wallet. It could return to my wallet, but Capital One will have to make it worth my benefit.

What Personal Data Do Facebook Quizzes Collect And Share? (Privacy Rights)

Facebook logo From time to time, I have written about since the site has a checkered history of protecting consumers' sensitive personal data and privacy. If you use, then you want to know about this Facebook petition sponsored by the ACLU of Northern California:

"Dear Mark Zuckerberg:
Millions of people on Facebook use third party applications without realizing the extent to which these apps can access their private information. Please take the following steps to ensure that all of the private information people put on Facebook is not swept up by application developers and used or abused for unknown purposes:

- Change default privacy settings so that quizzes and other third party applications run by a user’s friends do not have access the information on a user’s profile without the user’s opt-in consent.

- Simplify and improve privacy controls to give users real control over the personal information that is shared with applications through Facebook.

- Require that third party applications like quizzes list the categories of user data they will access and allow users to view this list. Prevent applications from having access to information that has not been listed, and notify users if an application’s data categories change before allowing access to this additional information.

Facebook is a wonderful forum for communications and social engagement, but it requires meaningful privacy protections if it is to continue to grow. Please take the steps above to protect my privacy and continue to make user privacy a high priority.

To learn more about how much of your personal information Facebook quizzes share regardless of your Facebook Account Privacy Settings, Facebook members should visit the "What Do Quizzes Really Know About You?" Facebook application page.

Behavioral Exchanges: Where Your Web Browser Cookies Are Bought And Sold

Who knew that when you opted into getting online ads from an advertising network that you were also agreeing to allow firms to sell the contents of your browser cookie file. From the New York Times:

"BlueKai and eXelate work in similar ways. They both track who is interested in what through a cookie, an invisible bit of code on a Web page. When someone does a search, for example, on for first-class flights to Paris in September, that information can be captured by a cookie, and can sell that cookie using eXelate or BlueKai."

How it works:

"Once the [corporate advertising] buyers log in to the exchange, they select the criteria they want, and the exchange tells them how many cookies are for sale. BlueKai has about three million cookies for in-market sedan buyers, for instance, and nine million for cellphones and P.D.A.’s. The advertisers specify how recent they want the cookie to be — they may want only people who have looked for their product in the last day — and bid on a price. The challenge for eXelate and BlueKai is to get publishers and commerce sites interested in selling information about their visitors."

It's unclear if this applies to Adobe Flash cookies, which also collect and share data about consumers.

Consumer notification, control, and opt-in (not opt-out) mechanisms need to be really clear about this. And, I believe behavioral exchanges should exclude medical information. It'd be great if the FTC actually did its job and set some guidelines for behavioral exchanges.

Targeted Advertising Programs Integrate Your Offline And Online Habits

Things are moving quickly in the behavioral advertising industry, and we consumers had better pay attention. In her Behavioral Insider blog, Laurie Sullivan summarized some important developments from the OMMA Behavioral conference in San Francisco:

"... the trend became apparent from the start of the show when Exelate provided a pre-conference presentation focusing on integrating shopping data. Later in the day, MediaPost Senior Writer Wendy Davis led a panel where Fran Maier, CEO at Truste, confirmed that all the information gathered from online and POS transactions can be aggregated to create a "very detailed profile." She said consumers do know they are being tracked online, but they are not given enough information about the information collected. Execs from the analytics firm Webtrends provided some further insight. Webtrends is working with Dotomi, which retargets ads to consumers, to integrate Analytics 9..."

How it works:

"Webtrends built a data collection applications programming interface that will allow marketers to integrate data into Webtrends's analysis engine. Marketers can feed the POS data from in-store cash registers into a central repository database. Marketers can extract part, or all, of the data and feed it into the analytic engine and correlate the data to transactions on the Web site. Analytics treats it as a conversion event -- just as if the customer bought the products or services online."

Want to learn more? Follow any of the above links, or read the Behavioral Advertising section of this blog.

An Example of Insider Medical Identity Theft

From the Billings, Montana Gazette:

"A 33-year-old Columbia Falls woman has been sentenced to two years in prison and ordered to pay more than $18,700 in restitution for her role in an identity theft case... Prosecutors say [Andrea] Mackowiak took names, Social Security numbers and dates of birth from patient account records at a clinic and gave the information to a person in Washington state. That person used the information to set up Qwest telephone accounts that were used by prison inmates."

Thanks to local law enforcement that this identity criminal was caught and prosecuted.

Advice And Help From The Federal Reserve Board For Consumers

Three things you should know about so you don't get "mugged" by a loan company or bank:

1. On July 30, 2009 the Federal Reserve Board (FRB) issued updated rules about mandatory disclosure by companies offering private educational loans:

"The Federal Reserve Board on Thursday approved final amendments to Regulation Z (Truth in Lending) that revise the disclosure requirements for private education loans. The amendments implement provisions of the Higher Education Opportunity Act (HEOA) enacted in August 2008. Under the amendments, creditors that extend private education loans must provide disclosures about loan terms and features on or with the loan application and must also disclose information about federal student loan programs that may offer less costly alternatives. Additional disclosures must be provided when the loan is approved and when the loan is consummated... The new disclosure requirements apply to loans made expressly for postsecondary educational expenses but do not apply where educational expenses are funded by credit card advances, or real-estate-secured loans. In addition, the amendments do not apply to education loans made, insured, or guaranteed by the federal government, which are subject to disclosure rules issued by the Department of Education."

The changes go into effect in about 6 months.

2. The FRB also announced the availability of a new publication, "5 Tips for Shopping for a Mortgage," to help consumers make good decisions to select the best home mortgage possible:

"As a starting point, consumers are urged to conduct a financial self-assessment that includes scrutinizing their budget, checking credit reports, and reviewing credit scores. The guide directs consumers to a worksheet for developing a monthly spending plan and strongly suggests setting aside funds for emergencies. It is important for consumers to evaluate their options and avoid expensive loans. The publication recommends taking the time do some comparison shopping by analyzing loan offers from mortgage lenders and mortgage brokers. It also explains the difference between brokers and lenders... The guide advises consumers to take advantage of additional information from other Federal Reserve publications, resources, and websites. It suggests that consumers also seek financial education materials from other trusted sources such as the U.S. Department of Housing and Urban Development and NeighborWorks."

NeighborWorks is a national nonprofit organization created by Congress to provide financial support, technical assistance, and training for community-based revitalization efforts. "5 Tips For Shopping for a Mortgage" is available in both English and Spanish. This publication is a good step given the large amount of mortgage defaults by consumers as part of the financial crisis.

3. During the financial crisis, many consumers have experienced reduced access to credit. Early in March, this blog warned consumers of the coming higher interest rates, additional fees, and reduced limits for credit cardholders. For some home owners, the crisis meant reduced home equity lines of credit (HELOC). For this, the FRB announced a new guide for consumers that:

"... explains consumers' rights and lenders' responsibilities when credit lines are reduced and provides information for those seeking to have a credit line reinstated. "5 Tips for Dealing with a Home Equity Line Freeze or Reduction" explains that lenders can lawfully reduce or limit a consumer's line of credit regardless of whether the consumer has made timely payments. However, the lender must send a written notice of the action no later than three business days after the freeze or reduction goes into effect. The notice must include information about any other changes to the HELOC. The freeze or reduction notice should include specific reasons for the action. The most common reasons for modifying the terms of a HELOC are a decline in the home's value, or a change in financial circumstances."

Tagged Gets 'Tagged' For Alledged E-mail Harvesting

Last week, MediaPost News reported:

"Two California residents have sued social networking site for allegedly duping them into sharing their email contacts and then sending those contacts misleading ads... The California case was brought by Miriam Slater of Santa Barbara and Sara Golden of Los Angeles. Slater, an artist, alleges that she received a Tagged email on June 6 that purported to be from an acquaintance who wanted to share photos. Slater says in the complaint that she visited the site and provided the company with information, but only because she wanted to view the pictures. She alleges that Tagged never disclosed that she was actually registering to join the site or that it would harvest her email addresses and then solicit those contacts."

Earlier this month, the CNN'/Fortune Brainstorm Tech reported:

"Social-networking site has become a target of New York Attorney General Andrew Cuomo and the bane of a multitude of customers... which New York Attorney General Andrew Cuomo says he plans to sue for false advertising, deceptive business, and identity theft. What makes the case timely is that many of's practices, like mass emails and data mining, have become commonplace among social media sites. But Tagged's aggressive combination of these digital promotions set it apart from its competitors, Cuomo charges."

All of this was after Time magazine called the world's most annoying web site. I received one of these e-mail offers from Tagged. It was tempting to act on the e-mail because it appeared to come from somebody I knew. I deleted the e-mail because it seemed odd... the person who sent it to me was unlikely to have uploaded photos to this social media site. If the person had, I felt like they would have sent me another invite to their photos on Tagged. Of course, that second invite never came.

What should consumers make of this?

  1. Read the fine print (e.g., links to a Privacy Policy or Terms & Conditions Statement) of any e-mail you receive asking you to sign up to a social media site.
  2. Verify the invite independently with your friend. Text, phone, or e-mail your friend to ask them if they sent an invite for ABC social media site. Ask them if they really are a member of ABC social media site and have content there.
  3. Remember, you have a choice. Even if you get satisfactory answers to #2, you don't have to join (yet another) social media site. If it's that important to your friend, they will probably be happy to show you their photos or videos via another social media sites or in-person.
  4. If you do register at a new social media site, don't be quick to share your credentials (e.g., ID and password) or apps for other sites with the new site. See how well the new site protects your personal information first. Trust is earned, not given away freely.
  5. If you think that you and the people in your e-mail address book got burned by a Tagged e-mail invite, set up a Google or Yahoo alert to follow this lawsuit (e.g., Slater v. Tagged Inc.), and join the lawsuit when it reaches class-action status.

The whole situation reminds me of a line from the film "Unforgiven," an excellent western. See it if you haven't. In one scene, a gunfighter attempts to rationalize the people he has killed by saying, "He had it coming!" It seems to me that the executives at Tagged, Inc. have it coming.

Any company that abuses consumers' privacy and sensitive personal data has it coming. Once again, the Privacy Crusaders strike!

Tips For Elders To Protect Themselves From Identity Theft

Sadly, many identity criminals target elders. The Houston Family Examiner has a pretty article with tips that apply to everyone and not just elders. Some of the tips and suggestions:

"Many seniors have carried their social security card and number around for decades and it is a hard habit to break but seniors need to understand that today the practice simply isn’t smart or safe. Medicare card numbers put seniors at risk too. Instead seniors can leave their cards secured at home and instead carry a copy of their Medicare card with them, with the SSN blacked out. This will help you get the medical treatment you need in case of emergency and but still keep your information safe in case of a theft."

A really good tip since many Americans are very trusting (e.g., a character strength that some will try to exploit):

"Do not give out information over the phone, especially bank account or credit card information. If someone calls and claims to be from a bank or credit card company, hang up and call the institution back at a number you already have on a statement. Real institutions will not ask you for sensitive information over the phone and will already have the answers..."


"There are so many worthy charities out there and unfortunately so many charity scams that want to prey on the generosity of the elderly. is a trustworthy site for researching charities before giving."

Of course, the standard preventative measures apply:

  • Don't carry your Social Security card in your wallet or purse. Store it in a safe place like a safety-deposit box at your bank
  • Use a postal mailbox with a lock
  • Use a shredder before placing documents with sensitive personal data and address data) into the trash
  • Shred pre-approved credit and loan offers. Even better, use to stop receiving pre-approved offers via postal mail, if you don't need the credit
  • Sign up for the Do Not Call Registry
  • Use strong passwords at online web sites

The New York Times Interview of David Vladeck of the F.T.C.

If you follow this blog, then you know that I've covered the U.S. Federal Trade Commission (FTC), especially about behavioral advertising. My opinion of the FTC has been far less than stellar, due to the commission's tendency toward self-regulation and its support of wacky things like basing insurance rates on credit reports.

I worry that that the FTC will become the next Securities & Exchange Commission (SEC), where online advertising becomes so complicated that the FTC becomes unable to keep up -- as many argued that the SEC was unable to keep up with Wall Street's financial practices. One area where the FTC seems to be lagging is with RFID technologies.

With that in mind, I read the New York Times interview of David Vladeck, the new head of the Bureau of Consumer Protection at the FTC. Maybe this interview is damage-control by the FTC. Or maybe it's a frank discussion of some particularly gnarly issues:

"The infrastructure for doing work on privacy is in very good shape. It was time for the agency to reconceptualize its privacy mission and to look for a new framework to approach privacy issues in this incredibly dynamic environment. One thing that was needed was someone in a position of authority to basically say, the frameworks that we’ve been using historically for privacy are no longer sufficient in this incredibly dynamic marketing."

When asked how the FTC will keep up with the advertising industry's rapid pace of change, Vladeck's comments are disappointing:

"We’re hoping that if we have candid conversations with them they’ll be more forthcoming, and this is not our first option, but we can make people talk to us. I would like to think that just by force of my charm and personality they’ll do that but if not there are all sorts of other ways we can get information. We’d prefer to persuade industry it’s in their best interests to cooperate on these sorts of things. If not, we’ll be forced to imagine the worst, and that doesn’t help anybody."

Is he serious? Force of his charm? Behavioral advertising techniques to collect consumers' data are moving at light speed. There are browser cookie based approaches, deep-packet inspection approaches, and lately online behavioral advertising networks are moving towards integrating both  consumers' offline and online habits into the online ads served. There are even more ways to provide opt-out (or opt-in) mechanisms and policy statements online. I'm hoping for leadership from Vladeck, not consensus-building.

About today's online disclosures and privacy statements, Vladeck said:

"Disclosures are now written by lawyers, they’re 17 pages long. I don’t think they’re written principally to communicate information; they’re written defensively. I’m a lawyer, I’ve been practicing law for 33 years. I can’t figure out what the hell these consents mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it. Second of all, consent in the face of these kinds of quote disclosures, I’m not sure that consent really reflects a volitional, knowing act."

No kidding. It has become increasing difficult for consumers to effectively make choices, since so many advertising programs use opt-out instead of opt-in, many have made the opt-out mechanism difficult to find and to use, and few programs provide open, honestly and transparent information about how consumers' data is shared among specific third-party companies and partners. Sites like TOSBack are trying to hlp consumers keep up with the complicated and fast-changing online privacy and web site policies.

One of the more positive comments by Vladeck that shows that the FTC is paying attention to consumers' needs:

"The empirical evidence we’re seeing is that disclosures on their own don’t work, particularly disclosures that are long, they’re written by lawyers, and they’re written largely as a defense to liability cases. Maybe we’re moving into a post-disclosure environment. But there has to be greater transparency about what’s going on. Until I see evidence otherwise, we have to presume that most people don’t understand, and the burden is going to be on industry to persuade us that people really are well informed about this."

The Sears settlement with the FTC was a thread throughout the interview, but Vladeck seemed reluctant to use that case as the basis for future rule-making. When asked about whether privacy policies and/or web site terms and conditions statements alone constituted effect consent for consumers, Vladeck replied:

"You’re trying to get me to revert back to these frameworks. I’m going to resist doing that until we have a better sense of whether there are other ways of making sure consumers are adequately informed that when they go on the Times website all of these different transactions are either happening or possible. And it may be that bubble disclosures or pop-up disclosures or anti-cookie devices, there may be all sorts of way to do this, that substitute for the lengthy, form-written privacy policy disclosures that are written by risk-averse lawyers rather than communication experts."

That sounds like a non-answer to me. The FTC wants to leave it open about how companies' web sites provide consumers with consent and notice, but is reluctant to present specific guidelines or rules.

Yeah, the interview was probably an attempt at damage control. I hope (for all our sakes) that the FTC can and does keep up.

IRS Phone Forum About Online Fraud and Identity Theft

It's good to see the U.S. Internal Revenue Service (IRS) taking action about fraud and identity theft.

On August 19, the IRS will host a free phone forum (e.g., that's a large, public conference call) titled "Everyone's at Risk - Combating the Increasing Threat of Online Fraud and Identity Theft." Th event is for practitioners: tax professionals, attorneys, payroll professionals, small businesses, the IRS' industry partners, and both state and local governments.

Participants will learn about identity protection efforts by the IRS, the process for reporting tax-related identity theft, victim assistance, how to report phishing schemes targeted at taxpayers, and IRS efforts to combat online fraud targeted at taxpayers. Advance registration for the event is required.

You can learn more and register for the event at the IRS site.

It's Time To Enforce the Privacy Of Consumers' Medical Prescriptions

It was infuriating to read this New York Times article, "And you Thought A Prescription Was Private:"

"Like many other people, Ms. Krinsk thought that her prescription information was private. But in fact, prescriptions, and all the information on them — including not only the name and dosage of the drug and the name and address of the doctor, but also the patient’s address and Social Security number — are a commodity bought and sold in a murky marketplace, often without the patients’ knowledge or permission. That may change if some little-noted protections from the Obama administration are strictly enforced. The federal stimulus law enacted in February prohibits in most cases the sale of personal health information, with a few exceptions for research and public health measures like tracking flu epidemics. It also tightens rules for telling patients when hackers or health care workers have stolen their Social Security numbers or medical information..."


"The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased... Ms. Krinsk was never able to find out who sold her information, but companies that have been accused in lawsuits of buying and selling personal medical data include drugstore chains like Walgreens and data-mining companies like IMS Health and Verispan. CVS Caremark, which handles prescriptions for corporate clients, has also been accused of violating patients’ privacy.

Once again, California leads the way:

"The ban on marketing is even more strict in California, where Walgreens is fighting off a class-action lawsuit filed on behalf of customers who received the subsidized mailings before the state outlawed them in 2004... The data mining industry, meanwhile, is challenging laws in New Hampshire, Maine and Vermont that ban collecting and selling prescription information to drug makers, which use it to decide which doctors to market to. The companies in the case, IMS Health and Verispan, now part of the private company SDI Health, said the identities of patients were removed."

These companies claim that patients' names are removed or encrypted before data is sold, but who verifies this? How are consumers to know if these companies are doing as they claim?

If this infuriates you (and I sincerely hope that it does), I encourage you to write to you elected officials in Congress today and demand prescriptions privacy, stiff penalties for violators, and enforcement of existing laws. Write to your elected state officials and demand local state laws guaranteeing the privacy of your medical prescriptions. Insist that the transition to electronic medical records (EMR) happens only after privacy is guaranteed.

The Continual Tsunami Of Laptop Data Breaches

In September 2007, I listed many of the larger data breaches involving laptop computers from 2005 through then. Have things improved since then? Apparently not. You'll recognize many familiar names and brands:

Month, Year Data Breach Details: Entity, Location, # Records
September 2007 De Anza College (Cupertino, CA) - 4,375
Utah Department of Workforce Services (American Fork, UT) - 2,000
Gap Inc. (San Francisco, CA) - 800,000
October 2007 University of Iowa (Iowa City, IA) - 184
King County Transportation Department (Seattle, WA) - 1,400
Transportation Security Administration (Arlington, VA) - 3,930
Carnegie Mellon University (Pittsburgh, PA) - undisclosed
Administaff Inc. (Houston, TX) - 159,000
Semtech (Camarillo, CA) - undisclosed
Home Depot (Boston, MA) - 10,000
United States Postal Service (Oahu, HI) - 3,000
November 2007 City University of New York (New York City, NY) - 20,000
Montana State University (Bozeman, MT) - 216
Butte Community Bank (Chico, CA) - unknown
Carolinas Medical Center - NorthEast (Concord, NC) - 28,000
Roudebush Veteran's Administration Medical Center (Indianapolis, IN) - 12,000
Ohio Masonic Home / Battelle & Battelle LLC (Springfield, OH) - 600
December 2007 Community Blood Center/Battelle & Battelle LLC (Oakwood, OH) - 600
Memorial Blood Centers (Duluth, MN) - 268,000
Forrester Research (Cambridge, MA) - unknown
Sutter Lakeside Hospital (Lakeport, CA) - 45,000
Deloitte & Touche (New York, NY) - unknown
West Penn Allegheny Health System (Pittsburgh, PA) - 42,000
Pennsylvania Department of Aging (Harrisburg, PA) - 21,000
Minnesota Department of Commerce (St. Paul, MN) - 219
Davidson County Election Commission (Nashville, TN) - 337,000
United States Air Force (Washington DC) - 10,501
January 2008 Workers Compensation Fund (Salt Lake City, UT) - 2,800
Health Net (Mountain View, CA/CT) - 5,000
Florida Department of Children and Families (Orange, Seminole, Osceola, FL) - 1,200
Penn State University (University Park, PA) - 677
Wake County (NC) Emergency Medical Services (Raleigh, NC) - 4,643
Horizon Blue Cross Blue Shield (Newark, NJ) - 300,000
South Carolina Department of Health and Environmental Control - 400
February 2008 Marine Corps Bases Japan (Okinawa, Japan) - 4,000
Memorial Hospital (South Bend, IN) - 4,300
Jefferson County Public Schools (Arvada, CO) - 2,900
Lifeblood (Memphis TN) - 321,000
March 2008 Kraft Foods (Northfield, IL) - 20,000
Blue-Cross Blue-Shield of Western New York (Buffalo, NY) - 40,000
University Health Care (Utah) (SLC, UT) - 4,800
Agilent Technologies (Santa Clara, CA)  - 51,000
National Institutes of Health (Bethesda, MD) - 4,359
April 2008 Harley-Davidson, Inc.(HOG) (Milwaukee, WI) - 60,000
Pfizer Inc. (New York, NY) - 800
University of Virginia (Charlottesville, VA) - 7,000
SunGard (affected Connecticut State University System, Buffalo State, Northwest Missouri State University) - unknown
HealthNow New York (Buffalo, NY) - unknown
General Internal Medicine of Lancaster (East Hempfield Township, PA) - unknown
May 2008 Pfizer (New York, NY) - 18,000
BB&T Insurance (Harrisonburg, VA) - unknown
Spring Independent School District (Spring, TX) - 8,000
HealthSpring Inc. (Franklin, TN) - 9,000
R.E. Moulton (Irving, TX) - 19,000
June 2008 AT&T (San Antonio, TX) - unknown
Stanford University (Stanford, CA) - 72,000
July 2008 US Army Fort Lewis (Fort Lewis, WA) - 700
Indiana State University (Terre Haute, IN) - 2,500
Hillsborough Community College (Tampabay Bay, FL) - 2,000
Anheuser-Busch (St. Louis, MO) - unknown
August 2008 Tennessee Valley Authority (Knoxville, TN) - unknwon
Delphi Automotive / Ohio Depart. of Job & Family Services (Columbus, OH) - 2,600
The Clear Program / "Fast-pass" Registered Travel program operated by Verified Identity Pass for the U.S.  Transportation Security Admin.  (New York, NY) - 33,000
Reynoldsburg Ohio City School District (Reynoldsburg, OH) - 4,259
National Technical Institute for the Deaf / Rochester Institute of Technology (Rochester, NY) - 13,800
September 2008 University of Pittsburgh (Pittsburgh, PA) - unknown
October 2008 University of North Dakota Alumni Association (Grand Forks, ND) - 84,000
West Virginia Dept. of Administration (Charleston, WV) - 535
KRM Management (Fresno, CA) - 5,700
November 2008 Baylor Health Care System Inc. (Dallas, TX) - 100,000
Genesee Intermediate School District (Mundy Township, MI) - 6,000
North Carolina Dept. of Health and Human Services (Raleigh, NC) - unknown
City of Charlottesville (Charlottesville, NC) - 25,000
Maryland Department of the Environment (Baltimore, MD) - 1,367
Starbucks Corp. (Seattle, WA) - 97,000
December 2008 US Army - 6,000
Hewlett-Packard/Symantec (Houston,TX) - unknown
Oregon Health & Science University (Portland, OR) - 890
January 2009 University of Oregon (Eugene, OR) - unknown
Innodata Isogen, Inc. (Hackensack, NJ) - unknown
Seventh-Day Adventist Church (Silver Spring, MD) - 292
Continental Airlines (Newark, NJ) - 230
Southwestern Oregon Community College (Coos Bay, OR) - 200
Madison, WI. Human Resources Department (Madison, WI) - 500
February 2009 Baystate Medical Center (Springfield , MA) - unknown
Parkland Memorial Hospital (Dallas, TX) - 9,300
Rio Grande Food Project (Albuquerque, NM) - 36,000
Steamboat Springs School District (Steamboat Spgs, CO) - 1,300
March 2009 Federal Emergency Management Agency Region 5 Office (Chicago, IL) - 50
Dezonia Group (Chicago, IL) - 63,000
University of West Georgia (Carrollton, GA) - 1,300
Pacific University (Forest Grove, OR) - unknown
April 2009 Palo Alto Medical Foundation (Palo Alto, CA) - 1,000
Hawaii Department of Transportation (Kapolei, O'ahu) - 1,892
Borrego Springs Bank/Vavrinek,Trine,Day and Co. (Borrego Springs, CA) - unknown
Moses Cone Hospital (Greensboro, NC) - 14,380
Oklahoma Department of Human Services (Oklahoma City, OK) - 1,000,000
Oklahoma Housing Finance Agency (Oklahoma City, OK) - 225,000
Illinois Department on Aging (Springfield, IL) - 170
May 2009 United Food and Commercial Workers Union 555 (Tigard, OR) - 19,000
June 2009 Oregon Health & Science University (Portland, OR) - 1,000
Redondo Beach Arco Gas Station (Redondo Beach, CA) - 1,000
Blackbaud / Univ. of North Dakota (Forks, ND) - 84,000
Sutter Health (Sacramento, CA) - 6,000
July 2009 Francis Howell School District (St. Charles, MO) - 1,700
University of Colorado at Colorado Springs (Colorado Springs, CO) - 766

Source: Privacy Rights Clearinghouse

Note: the above list is the "best case" scenario. That is, about one-quarter of the breaches include a situation where the number of records lost or stolen is unknown or undisclosed. So, anytime you hear in the news media a statistic about the number of records lost or stolen, the actual number is greater.

Obviously, companies are not taking data security as seriously as they ought to. Often, the laptop and data are stolen from an employee's car or home. The list includes a variety of entities: companies, universities, accounting firms, medical plans, hospitals, and government agencies. Why employees continue to store large amounts of sensitive employee and/or customer data on their laptops is a myserty to me. There needs to be data security training and consequences by employers.

Chicken Little Congress (Video & Somewhat Political)

[Editor's Note: Today's blog post below is a commentary by Montana Maven, who gave anyone permission to publish it. The commentary sums up pretty well how I feel about the health care discussion in a Congress that is quick to spend $2 billion more to subsidize auto purchases but timid when it comes to health care. Our current system is designed to maximize profits while minimizing the number of people covered, while a truly responsible health care system would maximize the number of persons covered and the number covered with adequate insurance. I am proud to live in a state, Massachusetts, that is trying to solve a difficult problem rather than run away from it. Too often, it seems that too often the attitude in Congress -- or frequently within the "Party of No" -- is to find ways not to do something, rather than find creative ways to solve a problem. When will people realize that a a country is only a strong as the health of its citizens? People are worth more than autos.]

Senator Chuck Grassley pays $356.59 a month for health insurance with a $300 deductible. We pay for his cheap care with our taxes. When asked why we can’t have what he has with our tax money, he told the guy to “Get a job with the Feds”. Hey, Chuck, guess you forgot whom your boss is. It should be us. But like Max who received $3,902,785 from the health care industry over his career, Wellpoint and Blue Cross Blue Shield might have better seats at the Chuck’s table.

Americans are already paying more in taxes for health care than Canadians and are not as healthy. We have the fourth highest infant mortality rate of the 30 developed countries. We are 24th of the 30 countries in life expectancy. That’s because we have a for profit insurance based system. We have great health care providers, but we are often denied full access by some insurance bureaucrat.

Health insurance is not health care. Trying to figure out how to keep the profit in health care is a losing proposition. Other countries use insurance companies to manage bill paying but all of them are non profit.

And we have the money to pay for it. All our Chicken Little legislators do is squawk, “Cost, cost, cost!” like a bunch of hens. We have a $16 Trillion dollar economy. We just spent $160 billion bailing our insurance giant AIG. We spend over $1 Trillion a year on keeping 761 military bases in 150 countries. Come on, close a few of them. A measly $150 billion a year for health care is cheap and money much better spent because it is spent here in the good old U.S.A. on its hard working citizens. Support H.B. 676 Medicare for All. It’s a lot simpler than the Chicken Littles want you to believe.

How bad is the influence peddling and lack of accountability by Congressional representatives to their constituents? Watch this:

I love how Olbermann calls on the carpet both Democrats and Republicans, and especially the Blue Dog Democrats:

"You were not elected to create a Democratic majority. You were elected to restore this country. You were not elected to serve the corporations and the trusts who the government has enabled for these last eight years. You were elected to serve the people. And if you fail to pass or support this legislation, the full wrath of the progressive and the moderate movements in this country will come down on your heads. Explain yourselves not to me, but to them. They elected you. And in the blink of an eye, they will replace you."

Here's a link to the transcript, courtesy of JedL at the Daily Kos.

The Risks Of Doing Business On Facebook And Similar Social Media Sites (Video)

During the Always On Summit at Stanford University, business executives discussed the business risks involved in developing applications and businesses on social networks with proprietary platforms. I believe this is important because the risks -- including identity theft, data breaches, and loss of intellectual property -- apply to larger businesses, small businesses, and sole proprietorships.

The panelists in the video below include Gerry Campbell, CEO of Collecta; Max Ventilla, CEO of Aardvark; Shervin Pishevar, CEO of Social Gaming Network; and moderator Bambi Francisco, CEO of

Thanks to Larry Dignan at ZDNet Between The Lines for the video link.