Previous month:
June 2010
Next month:
August 2010

18 posts from July 2010

FDIC Insurance Permanently Increased For Your Bank Accounts

Last week, the Federal Deposit Insurance Corporation (FDIC) announced that the standard, maximum amount of deposit insurance was permanently raised from $100,000 per depositor per insured bank to $250,000. The increase was made permanent when President Barack Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act.

The maximum had been temporarily increased to $100,000 from October 3, 2008, through December 31, 2010. On May 20, 2009, the temporary increase was extended through December 31, 2013.

To learn more, read this blog post about FDIC insurance coverage. or access the FDIC Deposit Insurance Estimator tool.

South Shore Hospital Breach Exposes 800K Patients' Records

On July 19, South Shore Hospital in Weymouth Massachusetts announced details about a data breach, where 800,000 patients' records from the last 14 years were lost by a data management vendor. The hospital shipped backup computer files on February 26, 2010 to the data management vendor for off-site destruction. The hospital became concerned when it did not receive confirmation from the vendor of destruction of the computer files.

The lost, or stolen, computer files contained sensitive personal and medical information about hospital employees, doctors, volunteers, donors, vendors and business partners. The hospital stated in a press release:

"The information on the back-up computer files may include individuals’ full names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information. Bank account information and credit card numbers for a very small subset of individuals also may have been on the back-up computer files."

May include? An organized hospital should know what is on those lost/stolen backup data tapes. After all, it had over four months -- from late February into July -- to investigate and determine exactly what was on those data tapes.

And, the information on these backup computer files encrypted. It should have been.

Moreover, the delay between discovery of the breach and notification was too long. I see this type of delay repeatedly in data breaches. A 4+-month delay in notification to breach victims gives identity criminals plenty of time to do damage. The announcement and the delay give the impression that the hospital did not have a breach response plan:

"The hospital also has ceased the offsite destruction of back-up computer files and is putting in place policies to ensure that a similar situation cannot occur. The investigation into the matter remains ongoing."

Moreover, the hospital had not yet notified its breach victims at the time of the announcement. It said it would notify breach victims during the coming weeks. Weeks?

In my opinion, that is not good and simply sloppy. This breach is a disaster for any health care organization as the lost (or stolen) information is pure gold for identity thieves: everything needed to gain health care fraudulently and/or open new lines of credit.

Experts advise patients, employees, former employees, contractors, or vendors of South Shore Hospital to check your credit reports for fraudulent entries. The hospital listed the telephone numbers for the three major credit reporting agencies in its Sample Individual Notification letter. The ID-Theft Resources page in this blog lists the website addresses of the three major credit reporting agencies.

If you discover fraud (e.g., bogus entries in your credit reports, another person's medical information in your medical records, another person has committed a crime in your name, etc.), the hospital's Sample Individual Notification letter correctly advised breach victims to:

  • File a police report with local law enforcement (and keep copies -- you'll need them later)
  • File an identity theft complaint with the U.S. Federal Trade Commission
  • Access the official site -- -- to get free copies of your credit reports from the three major credit reporting agencies
  • Notify the credit reporting agencies in writing of any errors or fraudulent entries on your credit reports
  • For protection, place a Fraud Alert or your credit reports. If you have experienced fraud, use a Security Freeze instead. Not sure? Browse the differences.

However, the hospital should have done more. First, the standard post-breach response is for an organization to its provide breach victims with free credit monitoring services. And that service should provide credit resolution services, since it will cost breach victims much time and money to repair their credit files. South Shore Hospital didn't offer this service in either its press release or Sample Individual Notification letter.

How long for complimentary credit monitoring? IBM provided its breach victims, including me, with one year, but other companies and hospitals have provided two years. The longer, the better.

Second, it is extremely difficult to correct medical files when another person has used your personal information to obtain health care fraudulently. Any identity monitoring and resolution service should also help breach victims with this. After its data breach of 1.5 million records, in 2009 Health Net selected Debix as the complimentary credit monitoring service for its breach victims. Earlier this year, AvMed offered its 1.2 million breach victims complimentary services with Debix. Debix provides services that cover both credit files and health records.

Third, the hospital should setup a website to answer common questions breach victims typically have, to share the results of the breach investigation, and to present actions the hospital is taking so this breach doesn't happen again. For many consumers this will be their first experience with a data breach and identity theft. A certain amount of guidance and assistance are appropriate.

Fourth, the hospital should have named the data management vendor in its initial press release. In later news reports we learned that the data management vendor, Archive Data Solutions, had subcontracted the work to another company. That's still no excuse. Consumers deserve timely breach notification, and the hospital's contract has to anticipate this.

Fifth, I was surprised that the hospital's Sample Individual Notification did not mention, for breach victims that are also Massachusetts residents, the Massachusetts Attorney General website which contains several identity theft resources, including this handy guide for fraud victims (PDF format, 113K bytes). This is appropriate content for a post-breach support website, too. WHDH reported several tips from the Attorney General's office for breach victims to protect their medical records.

What do you think? If you are a South Shore Hospital breach victim and received a breach notification letter, we would like to hear your experience.

Quantcast And Several Major Online Sites Sued For Alleged Use of 'Zombie' Cookies To Track Consumers Online

last week, a class-action lawsuit was filed in U.S. District Court in Central California against Quantcast Corporation and several of its affiliates for using "zombie" cookies to track consumers' online activity and for violating several computer and consumer privacy laws.

The affiliates include several major online companies and their websites you have probably used: Myspace Inc., American Broadcasting Companies Inc. ESPN Inc., Hulu LLc., JibJab Media, MTV Networks, NBC Universal Inc. and Scribd Inc.. The complaint alleges that the companies violated one or several laws:

  • Computer Fraud and Abuse Act, 18 U.S.C. § 1030
  • Electronic Communications Privacy Act, 18 U.S.C. § 2510
  • Video Privacy Protection Act, 18 U.S.C. § 2710
  • California’s Computer Crime Law, Penal Code § 502
  • California's Invasion of Privacy Act, Penal Code § 630
  • UCL, Business and Professional Code § 17200
  • Consumer Legal Remedies Act

I've Been Mugged reviewed the complaint (PDF, 690k bytes), which alleged that several consumers:

"... were victims of unfair, deceptive, and unlawful business practices; wherein their privacy, financial interests, and computer security rights, were violated by Quantcast Corporation, and websites affiliated individually with Quantcast... by setting flash cookies on their user’s computers to use as local storage within the flash media player to back up browser cookies for the purposes of restoring them later."

The suit also alleged that the defendant companies:

"... knowingly authorized, directed, ratified, approved, acquiesced, or participated in the unfair and deceptive business practices made the basis of this class action, which included, but was not limited to, setting of an online tracking device which would allow access to, and disclosure of, personal information (“PI”), personal identifying information (“PII”), and/or sensitive indentifying information (“SII”). This information was derived from the Internet user’s online activities, including visits to non-Quantcast Flash Cookie Affiliates’ websites, accomplished covertly, without actual notice, awareness, consent or choice of the user."

This is important: the suit alleges that the companies used the Flash cookies technology to secretly track consumers' online habits and usage, to regenerate traditional web browser cookies, and to collect consumers' sensitive personal information. The companies allegedly profited from this practice and never provided the consumers with notice (in website privacy and terms policies) or opt-out mechanisms.

These "zombie" cookies are the regenerated traditional web browser cookies you usually delete. Like the zombie monsters you have seen in movies, they never seem to completely disappear; and they keep returning despite your best efforts to kill them.

The complaint also cited the problematic, vague, and misleading portions of each defendant company's website privacy or terms policy. The suit does not include all Quantcast affiliates; only those there were involved in the covert tracking and use of "zombie cookies." The suit described in detail how the covert tracking and sensitive personal information collection worked:

"... information obtained by the placement of flash cookies on the users’ computer hard drive and the use of user’s local storage within their flash media player to back up browser cookies for the purpose of restoring them later without actual notice/awareness and consent/choice of the user.."

This is important. Since the firms knew that consumers regularly deleted their browser cookies (to avoid tracking and to maintain their privacy online), the companies intentionally used the Flash cookies technology to regenerate deleted web browser cookies on consumers' personal computers without the consumers' knowledge or consent.

In this class action suit, one of the lawyers representing the consumers in the complaint is a Privacy Crusader I've written about previously: Joe Malley. Malley has much plenty of experience with online privacy, targeted ad tracking, and data collection issues as he has been involved with class actions against Facebook and its Beacon affiliates, NebuAd, and Adzilla. Earlier this year, Facebook settled the suit for $9.5 million. So, I am happy that Malley is involved with this latest suit.

In researching this latest suit, the attorneys found that:

When I first wrote about the privacy and tracking issues with Flash cookies, I also spoke with with several web developers I have worked with in prior jobs. Some knew about Flash cookies but most had no idea about the extent of online tracking and data collection via the technology. If these professionals with deep Internet experience have no idea, then the average consumer or online user definitely has no idea of the technology, the privacy abuse problems, or what, if anything, to do about it.

Since I learned about the "zombie" cookie problem, I now use two software products to monitor and delete all cookie files on my home computer:

  1. MAXA Cookie Manager software
  2. BetterPrivacy add-on for the Firefox browser

Depending upon which web browser used, consumers may decide to download one or both of the above software products. I like the MAXA Research software since it monitors all Local Shared Objects (LSOs) on your computer: web browser cookies, Flash cookies, and DOM user data. Most web browsers have menu options to delete standard web browser cookies, but are unable to delete Flash cookies and other LSOs. The I've Been Mugged blog features a June 2010 interview with the Chief Technology Officer at MAXA Research.

Moreover, this class action suit highlights the fact that companies' website policies are often vague and lack sufficient detail for consumers to make informed decisions. Granted, many consumers don't read the privacy and terms of use policies at websites, but that is no excuse for companies to publish insufficient policies. Plus, Federal and state laws lag far behind online technologies. This makes online privacy difficult for consumers and many companies seem to take advantage of this situation.

Last, this class action suit should be a wake-up call to consumers across the Internet. Now is the time for consumers to demand accountability from websites and advertisers. If they refuse to provide accurate disclosures in their website policies, shop elsewhere. If they refuse to provide easy-to-find opt-out mechanisms for their advertising and marketing programs, shop elsewhere. If you find websites offering advertising and marketing programs with opt-in mechanisms, shop there instead.

If this "zombie" cookie situation bothers your (and I sincerely hope that it does), I encourage you to write to your elected officials and demand stronger laws requiring companies to fully disclose in their websites the tracking and technologies used by their websites, partners, and affiliates.

The Benefits Of Being An Identity-Theft Victim

Several studies and surveys have documented the pain and frustration consumers experience when they become identity-theft victims. Much time is spent documenting the damage and submitting paperwork to law enforcement and financial institutions. Much time and money are spent fixing the damage to financial accounts done by identity thieves. It can be extremely difficult to fix the damage to medical records. Usually, lawyers must be hired and money paid for credit report monitoring services and identity resolution services.

With all of this downside, I have come to believe that there is an upside to identity theft and fraud. Since I started writing this blog in 2007, I have talked with many consumers about their experiences. I am not referring to credit card fraud, because the process is pretty easy and of minimal impact to consumers. Their credit card issuer usually provides a replacement card and account; and the consumer is out up to $50.

The fraud I refer to includes:

  • When identity criminals open new accounts or gain credit in the victim's name; or drain their financial accounts
  • When identity criminals obtain health card services using the victim's information. This medical fraud results with the victim's and the criminal's medical conditions and treatments mixed together; a situation not easily nor quickly corrected
  • When identity criminals commit crime using the victim's name and address information

Most people ignore the whole issue until it happens to them. Then, they want to learn everything they need to know, so it doesn't happen again and they can fix any problems.

The list below is based on my experiences, as a consumer like you. The benefits I see of being an identity theft victim:

  • Awareness: After an identity thief has stolen your personal data, account credentials, and/or money consumers seem to have a new awareness of of the value of their sensitive personal data.
  • Acceptance and curiosity: after having their identity information and/or money stolen, there is an acceptance that identity theft is a problem. There is a curiosity to learn about other ways identity thieves and criminals might harm them, so they can avoid this painful experience in the future.
  • Willingness to change behaviors: Not knowing how to protect yourself is terrifying to most people. The pain from this terror seems to be sufficient incentive for consumers to change their habits (e.g., practice safe online shopping habits, check their credit reports for accuracy, use strong passwords at online sites, maintain anti-virus software on their home computer, etc.). Of the people I have talked with, after being an identity-theft victim, none want to return to their old ways.
  • Stronger consumer interest: along with this awareness about identity theft is an interest in products, services, processes, and/or laws that address and protect the needs and assets of consumers. Getting good customer service seems to become more important, too.
  • Gratitude and appreciation: before becoming a victim of identity theft and fraud, many consumers perceive warnings by consumer and privacy advocates to be unnecessary and overly cautious. Some have called me paranoid. After experiencing the pain of the theft and fraud, a different attitude emerges which includes a sincere appreciation for identity theft protection advice to help them fix their fraud problem, and a context for listening to future warnings.
  • Participation in our democracy: when the perception is that local or federal laws haven't kept up with business practices, some been motivated to write to their Congressional reps to demand action.

So, a painful event can often result in something positive. What do you think?

College Offers Cyber Training For New & Current Students

As an information architecture professional, I have participated in website redesign projects for several colleges and universities. It's always a pleasure to make a college's or university's website easier to use and to navigate for the school's target audiences.

I was pleased to read about an upcoming event in October at Colin College in Texas titled, "Being a Cyber Smart Student- What You Do Now Can Affect You Later." It would be hard to find a truer title for this event. The event description:"

"Technology is a way of life for today's teens; however, what was cute in high school can have serious and long-term consequences in college and the real world. Dallas-Fort Worth Metroplex attorney, Lynn Rossi Scott, will discuss the pitfalls for college students, including copyright violations, identity theft, social networking, child pornography, cyberbullying, shaming, and sexting."

Hopefully, more colleges and universities will draw upon nearby privacy experts to offer similar training sessions to both current students and high school students. The identity theft risks are great, and both college students and high school students need the training. Learn more about tips for college graduates to avoid identity theft and fraud.

Apple Replies to Congress About Its Location Information Collection

On Monday, House Representatives Joe Barton and Ed Markey released details about their conversations with Apple about the company's privacy policy. Congressman Markey's concerns:

"As more Americans rely on location-based services as part of their everyday lives, it is imperative that consumers have control over how their personal information is used, transmitted, and stored. Apple’s responses provided additional information about how it uses location data and the ability of consumers to exercise control over a variety of features on Apple’s products, and I appreciate the company’s response... Consumer consent is the key to assessing the adequacy of privacy protections..."

Portions of Apple's reply appear below:

"... customers have always had the ability to turn "Off" all location-based service capabilities... For mobile devices, the toggle switch is in the "General" menu under "Settings. For Mac computers running Snow Leopard, the toggle switch is in the "Security" menu under "System Preferences." And for Safari 5, the toggle switch is in the "Security" menu in Safari "Preferences." If customers toggle the switch to "Off," they may not use location-based services, and no location-based information will be collected."

As you read the response, you'll notice that there is a lot of data collection going on, and it is device dependent. Some users may find it cumbersome. There are different opt-in/out mechanism for some types of information. I would think that there should be an uber opt-in/out mechanism.

The response about data collection when the user has enabled location-based tracking:

"...Apple maintains a secure database containing information regarding known locations of cell towers and Wi-Fi access points. The information is stored in a database accessible only by Apple and does not reveal personal information about any customer... such as the location of the tower(s), Cell IDs, and data about the strength of the signal transmitted from the towers... Apple collects information about nearby Wi-Fi access points, such as the location of the access point(s), Media Access Control (MAC) addresses, and data about the strength and speed of the signal transmitted by the access point(s)... Apple does not collect the user-assigned name of the Wi-Fi access point (known as the SSID or service set identifier) or data being transmitted over the Wi-Fi network..."

About what is transmitted when the user has enabled location-based tracking:

"... when a customer requests current location information, the device encrypts and transmits Cell Tower and Wi-Fi Access Point Information and the device's GPS coordinates (if available) over a secure Wi-Fi Internet Connection to Apple... devices running prior versions of iPhone OS, Apple transmits - anonymously-- the Cell Tower Information to Google and Wi-Fi Access Point Information to Skyhook. These providers return to Apple known locations of nearby cell towers and Wi-Fi Access points..."

But there is more. Since the iPhone 3G, iPhone 3GS, iPhone 4, and iPad Wi-Fi + 3G all have GPS chips:

"Apple collects GPS Information from mobile devices running the iPhone OS 3.2 or iOS4. GPS Information may be used, for example, to analyze traffic patterns and density in various areas. With one exception, Apple automatically collects GPS Information only if (1) the location-based service capabilities of the device are toggled to "On" and (2) the customer uses an application requiring GPS capabilities. The collected GPS Information is batched on the device, encrypted, and transmitted to Apple over a secure Wi-Fi Internet connection (if available) every twelve hours..."

Now I know why Google "accidentally" collected home wireless information through its Google StreetView cars. It is all about mapping the planet with geographic locations of access points. Apple and Google clearly have a data-sharing arrangement so both can update their databases of known access points.

But there is more. Since Apple launched its targeted advertising network, iAd, in July of this year:

"Customers can receive advertising that relates to their interests ("interest-based advertising") and/or their location ("location-based advertising")... customers may opt-out of interest-based advertising by visiting the following site from their mobile device: Customers also may opt out of location-based advertising by toggling the devices location-based service capabilities to "Off." For customers who do not toggle location-based service capabilities to "Off," Apple collects information about the device's location (latitude/longitude coordinates) when an ad request is made... the latitude/longitude coordinates are converted immediately by the server to a five-digit ZIP code. Apple does not record or store the latitude/longitude coordinates--Apple stores only the Zip code."

Apple archives this targeted advertising data:

"Apple retains a record of each ad sent to a particular device in a separate iAd database, accessible only by Apple, to ensure that customers do not receive duplicative ads and for administrative purposes. Apple intends to retain the Zip code information it has collected for six months to administer and improve the iAd network. After six months, the information may be aggregated for administrative purposes."

Administrative purposes? What does that mean? Sounds vague to me. And the document doesn't discuss what monitoring there is to see if Apple complies with its own policies.

But, there is more. Since Apple sells third-party developed apps for the iPhone, iPad, and iTouch through its App Store:

"Developers do not receive any personal information about customers from Apple when applications are purchased... Developers may collect, use, or disclose to a third party location-based information only with the customer's prior consent... Developers must provide information to their customers regarding the use and disclosure of location-based information...Developers must take appropriate steps to protect customers' location-based information from unauthorized use... Applications must notify and obtain consent from each customer before location data is collected..."

There is more in the Program License Agreement each developer must sign before doing business with Apple. This is a good list of items but it is still unclear how Apple monitors app developers, and their apps, for compliance.

So, once a user enables location-based capabilities on their Apple device, the user gets everything: location-based apps they download and targeted advertising. You can't turn on one and not the other.

At the time of this response document, Apple is not sharing location-based information with AT&T from iPad and iPhone users. Then again, AT&T could track what comes through its network that isn't encrypted. I discussed in a separate blog post the AT&T data breach that affected Apple users.

Now that you know most of what Apple collects (I didn't mention its data collection regarding diagnostics, but that is in Apple's response document, too), you should know that Apple started collection location-based information in January 2008.

Judge Rules Against AOL After Breach

On Friday last week, Courthouse News Service reported:

"A federal judge found AOL accountable for disclosing personal information of 658,000 of its customers. U.S. District Judge Sandra Armstrong ruled that AOL's accidental posting of its customers' Social Security numbers, addresses, phone numbers and credit-card numbers violated its own privacy policy."

AOL did this by uploading members' Internet search terms into a database posted on its website. The sensitive personal data disclosed: members' names, addresses, telephone numbers, credit card numbers, Social Security numbers, financial account numbers, user names and passwords. The data was available online at the AOL website for about 10 days, and portions were copied and reposted online elsewhere.

"Also disclosed was information regarding members' personal issues, including sexuality, mental illness, alcoholism, incest, rape, adultery and domestic violence."

Way to go AOL. MediaPost summed up the issue well:

"Although the members had been "anonymized," some were identified based solely on the patterns in their search queries. For instance, The New York Times was able to identify AOL user Thelma Arnold within days of the breach. The incident is often used to illustrate that "anonymous" information can be used to identify specific individuals."

Now, go read Monday's post about Apple and its promise to anonymize all of the geographic location data it collects about its iPad, iPhone, and laptop users. Then, think about the efforts by Facebook and Twitter to add location data to your posts and tweets.

Are you still feeling good about the Internet?

Thoughts On Apple, Mobile Security, And Privacy

Apple Computer has been very busy the past few months. After introducing the iPad and the iPhone 4, problems surfaced. After a negative iPhone 4 product review by Consumer Reports, the media and users reported problems with the iPhone antenna; a problem raised during development. Apple settled the issue by offering iPhone users free bumpers. The response to that: a good first step.

To me, it's important to focus on the broader events and not "antenna-gate." There have also been several data breaches.

In June, a breach at AT&T exposed the email addresses of about 114,000 iPad 3G customers. AT&T apologized to its breach victims, and it was later discovered that the iPad breach exposed more sensitive information: the ICC-ID numbers where a persistent identity criminal could deduce the more sensitive and generally protected International Mobile Subscriber Identity (IMSI), which is unique to each device's SIM card and can be used to determine: a consumer's location real-time, the consumer's phone number, and the consumer's physical address. The Apple support site explains how you can find these numbers for your mobile device.

In July, a small number of iTunes customer accounts were hacked. Breach victims were advised to change both their sign-in credentials and their credit card used to pay their iTunes account. Some hair-splitting ensued that it was fraudulent activity by an app developer and not a direct hack of Apple's iTunes servers.

My point #1: like Windows PCs have been targeted, Apple products have now become a high-value target by criminals. The total number of accounts hacked in each were few so far. Maybe not so few tomorrow.

My point #2: your mobile device is only as secure as the weakest link: the device manufacturer, the mobile app developer, or the wireless network provider. The AT&T breach proved what happens when it is a breach of the network provider. The iTunes hack shows a weak point in either selected apps or the app store.

So, you could compute your security with the following equation (remember your college statistics?):

95% mobile device mfgr. X 95% mobile app X 95% wireless provider = 86% total security

You can assign your own percentages to each item above. Of course,, this applies to any mobile device and not just iPhones. It's easy to be dazzled by the latest gadget. I used to hear Apple users proudly boast that Apple products don't get viruses like PCs or Windows products. I don't hear that boasting much anymore.

How private is your data on an iPhone? You could replace "security" with "privacy" in the above equation. Instead, I suggest this Los Angeles Times news article:

"Apple Inc. is now collecting the "precise," "real-time geographic location" of its users' iPhones, iPads and computers. In an updated version of its privacy policy, the company added a paragraph noting that once users agree, Apple and unspecified "partners and licensees" may collect and store user location data."

Apple users are locked in to agreeing to these terms, since you can't download anything from the Apple store without first agreeing to the new terms. The company is betting that you are so hot to buy its latest products, that you will sign anything, including sign away your privacy.

Sadly, if Apple is successful with this, then other mobile manufacturers will follow with similar contract terms. Is this what we consumers really want in our mobile electronics?

Not me. I value the "personal" in personal computer, whether it's a desktop, laptop, or a smartphone acting as if. It's bad enough that consumers are forced to shop for apps at a single store. Where else in life do you shop at only one store?

Consumers should have the option to opt-out of location tracking. Some members of the U.S. Congress are concerned, and I hope that you are, too. Write to your elected officials and tell them.

And as you play with your new, shiny iPhone, think about what you so easily gave away.

Tabnapping: What It Is, How To Avoid It

I had not heard about this phishing threat before. From Channel 7 News in Spartanburg, South Carolina:

What should a consumer do? Experts advise consumers to:

  • Close unused browser tabs,
  • Sign out of bank/financial accounts when done. Don't leave these tabs open
  • Check the website address (URL) before entering your sign-in credentials. If it looks fishy or isn't what it should be, don't enter your sign-in credentials
  • Open bank/financial accounts in a new browser window and not a new tab

Banks and Banking Customers Affected By The BP Oil Gusher

As you have read in the news, the oil gusher has spewed oil into the Gulf for almost three months. Hundreds of regional medium and small businesses, like tourism and fishing, have been affected. Banks and their customers have been affected, too.

I think it is important to observe during this crisis how the national and regional banks (and regional credit unions) help their customers-- regional business -- affected by the oil gusher. Earlier today, several government agencies released a statement advising ways that banks can assist regional businesses affected by the oil gusher. The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the National Credit Union Administration, and the Conference of State Banking Supervisors issued this joint statement encouraging:

" institutions to work with their customers and consider measures to assist borrowers affected by this situation and its subsequent impact on local communities. Substantial business disruption and damage to businesses along the Gulf Coast Region have occurred. In response to this disaster, financial institutions can take measures to meet the critical financial needs of their customers and their communities... if conducted in a reasonable and prudent manner, are consistent with safe and sound banking practice. In this regard, the regulators encourage institutions to consider alternatives for customers who can demonstrate they are affected by the disaster; such alternatives may include:

  • Temporarily waiving late payment charges, ATM fees, and penalties for early withdrawal of savings;
  • Expediting lending decisions when possible, consistent with safety and soundness;
  • Extending or restructuring borrower debt obligations in anticipation of the receipt of funds based on claims the borrower may have filed with BP; and
  • Easing credit terms or fees for loans to certain borrowers, consistent with prudent banking practice."

Now, there is an opportunity for the FTC and related agencies to issue similar guidelines and reminders for regional businesses to protect the sensitive personal information of their employees and customers. The crisis should not be an opportunity for small businesses to abandon data security.

To its credit, the FTC has issued Consumer Alerts about both oil gusher insurance/charities scams and oil gusher job scams. If you seek a job in the Gulf region, the FTC oil gusher job scam alert helps consumers learn how to recognize these signs of a job scam:

  • Guaranteed jobs or guaranteed placements
  • An employer or employment-service firm that wants you to pay for training, certification, or its expenses
  • Vague offers: the more general the email “job” description, the less likely there is a valid job
  • You’re asked for your financial information: credible employers don't need your bank account information or credit/debit account numbers to interview or hire you
  • Companies that charge you for lists of available jobs

Sadly, as ocean current distribute the oil to wider areas, more businesses and consumers will need the above advice.

Identity Protection Advice For Consumers When On Vacation

Intersections, the provider of Identity Guard and several credit monitor services for big banks, and the Identity Theft Assistance Center (ITAC) advise consumers to take several precautions to protect their identity information, bank, and financial accounts when traveling on vacation. To guard against home burglary:

"... before you leave: Have your mail collected or held at the Post Office, ideally have someone visit and turn lights on and off, and do not leave financial documents lying in plain view."

While traveling on vacation:

"If you need to access your email from cyber cafe or other establishment, limit your access, avoid entering any passwords to your personal financial accounts, and be sure to log off when you are finished with your session."

Advice I would add to this: use Private Browsing or clear the cache and browser history when you are finished. Perhaps, more importantly while traveling:

"Try to avoid "tweeting" or blogging about your travel plans or talking about them on social networking sites like Twitter, Facebook and MySpace. Thieves may use this information to target empty homes.

I prefer to post messages after I have returned home. You make believe that all of your friends are trustworthy, but remember that a thieves may impersonate one of your friends online after hacking an email account. My favorite tip whether you are traveling or not:

"If browsing the Internet with a wireless connection, do not assume public "hot spots" are secure. Ensure you are using encryption to scramble communications over a network."

Identity criminals and hackers target hotels because their customers are a rich source of credit card information. Wyndham Hotels had three breaches during the past year. Intersections and ITAC advise consumers while traveling on vacation:

"If you're staying at a hotel or motel and receive a call from the reception desk asking that you confirm a credit card number, tell them you'll provide the information at the front desk instead. The call could easily be a random one from outside the hotel."

Prior posts have discussed whether or not it is better or safer to shop with credit cards versus debit cards. I shop only with my credit cards: at home and while traveling. Intersections and ITAC advise consumers while traveling on vacation:

"Bring as few credit cards as possible and ideally carry just one with you and keep a backup card in the hotel safe. Bring a copy of the emergency contact numbers for your credit cards and bank accounts in case they're lost or stolen. It is recommended that travelers do not use their debit cards while on vacation to further protect their checking accounts.... Use cash or travelers checks wherever possible to minimize the risk of credit card fraud or overcharging (this can also help avoid costly exchange fees if you're traveling abroad)."

To learn more about Intersections, read these credit monitoring service reviews:

Insider Identity Theft And Fraud at Bank of New York Mellon

Since its huge data breach in 2008, breach news about the Bank of New York Mellon catches my attention. Last week, the New York Country District Attorney's Office announced in a press release:

"... Adeniyi Adeyemi, 27, a computer technician formerly employed as a contractor at the headquarters of the Bank of New York. ADEYEMI admitted to stealing a list of personal identifying information of 2,000 bank employees, and using this information to orchestrate thefts of more than $1.1 million from charities and nonprofit organizations, among other institutions, over an eight-year period. ADEYEMI pled guilty to the top charges in the indictment, Grand Larceny in the First Degree and Money Laundering in the First Degree, as well as to the felony charge of Computer Tampering in the First Degree."

This event is noteworthy for a couple reasons. First, many consumers assume that banks have airtight data security and don't suffer data breaches. That clearly isn't so. You can find several stories in this blog about breaches at financial institutions and banks.

Second, insider identity theft is arguably one of the tougher crimes to stop because banks trust their employees to work with consumers' sensitive personal and financial information to perform critical bank operations. This latest breach shows the lengths to which criminals will go to steal consumers' financial account information. Adeyemi opened fraudulent bank accounts with the stolen employees' personal and financial information; stolen money from both the charities and his coworkers; wired stolen money through fraudulent E*Trade and Fidelity accounts, and into the the fraudulent bank accounts he'd set up; and wired money on to more fake accounts where he ultimately pocketed the stolen money. More than 12 charites were victims.

I wonder if Adeyemi truly acted alone.

Third, this breach should be a reminder to all consumers to vigilantly protect your financial account information (e.g., routing and bank account numbers) and to monitor your financial accounts for fraudulent entries. While that won't stop insider ID-theft, consumers will spot fraudulent activity on their accounts sooner.

Another news item highlights just how far identity criminals will go to steal consumers' financial account information. They will attach banks from the inside or outside. InfoSecurity magazine reported:

"... online banking users are being targeted by 'regional malware' that flies under the radar of IT security software... Silon.var2, which resides on one in every 500 computers in the UK compared to one in 20 000 in the US, and Agent.DBJP, which has been detected on 1 in 5000 computers in the UK compared to 1 in 60,000 in the US."

So, consumers need to keep the anti-virus software on their home computers loaded and up-to-date. Visit websites you trust and don't click on fake banner ads that claim your computer is unprotected. Be smart about the links you click on. Use a product like McAfee SiteAdvisor to help you avoid virus-infected sites when using a search engine site.

The InfoSecurity magaine article highlighted the fact that banks need to do more about computer viruses:

"... to fight the problem, regional malware Trusteer recommends banks work together, share information, and pro-actively try to identify and target regional malware.They should also actively investigate regional malware in order to understand how the malware works..."

The combination of the latest Bank Of New York Mellon breach and the malware study should be a strong reminder to bank executives of the threats from both inside and outside.

Boston Globe Website Displays Your and Your Friends' Facebook Likes And Status Messages

Last week a friend, Bill, asked me via email what was going on at the Boston Globe newspaper website. Bill sent this image of the Boston Globe Sports landing page:

Boston Globe Sports landing page viewed by my friend, Bill.

Bill was alarmed that the Boston Globe website knew who his Facebook friends are. You can see the name of Bill's friend name next to the Facebook "Like" button. He felt that the Boston Globe shouldn't know who his Facebook friends are since he had already opted out of the Facebook Instant Personalization program, which he thought would prevent stuff like this.

Bill wanted to know what is going on and I promised him I'd try to find some answers.

First, I signed into and visited the Boston Globe site using a second browser window. I wanted to see if I could replicate Bill's experience. Like Bill, I did not sign into the Boston Globe website, and I saw this:

Boston Globe Sports landing page viewed by me when signed into

The Facebook "Like" button appeared but it didn't mention any of my friends. I felt a little better about that, but I still had plenty of unanswered questions.

To find some answers, I read the Globe's Privacy Policy and FAQ page about browser cookies. Perhaps, these pages would explain what was happening. Maybe this was browser cookie-driven information. Neither Globe website pages mentioned Facebook, nor explained this new Facebook "Like" feature.

Next, I called the Boston Globe and spoke with Benny DiNardo, a Multimedia Editor at the newspaper. I shared my concerns. DiNardo confirmed that if a person first signs into Facebook, and then visits the Globe website, and then clicks the Facebook "Like" button on the Globe website, their name will appear as having "Liked" the Globe on both the Globe website and on the website. If the user isn't signed into Facebook, then the Boston Globe website won't display any of this.

DiNardo also said that the Boston Globe home page also had a Facebook "Like" button. So, I went looking for that and found this:

My friends' Facebook status messages displayed in a content module on the Boston Globe home page

I haven't seen that Facebook module before. It displayed actual Facebook status messages by my friends. Each status message contained a link to content within the Globe website. Like Bill, this was a surprise because I, too, had already opted out of the Facebook Instant Personalization program, when Facebook changed its Privacy terms in May 2010. I thought that opt-out would have stopped stuff like this. Obviously not.

Next I clicked on the "Facebook social plugin" link in the module. It took me to a Facebook site page that explained what social plugins are:

"Experience the web with Facebook friends. Social plugins let you see what your friends have liked, commented on or shared on sites across the web. All social plugins are extensions of Facebook and are specifically designed so none of your data is shared with the sites on which they appear."

So, a Facebook Social Plugin is a small amount of HTML code that a website operator can include on a page in their website to display Facebook content they don't have access to. I have no way to verify this, so I have to take Facebook's word on that. I was able to verify this: if you signed into Facebook first and then visit a website with a social plugin, then that site's plugins will display whatever Facebook information those plugins were designed to display.

This Facebook module on the Boston Globe home page module is one type of social plugin. The Facebook "Like" button on the Boston Globe Sports landing page is another social plugin version. Facebook provides 8 different social plugins today, and that number will probably increase in the future. According to TechCrunch, more than 100,000 websites had already installed Facebook Social Plugins by May 2010. I am sure that number is far larger today. So, the Boston Globe has plenty of company using social plugins.

If you don't sign into Facebook and then visit the Boston Globe home page, this is what you see in the Facebook social plugin module:

The default Facebook content module on the Boston Globe home page

But nobody is going to do that because part of the fun of Facebook is sharing links with your friends, and you have to be signed into Facebook to do that.

I had heard about social plugins, but sometimes you don't understand a thing until you see it work. I doubt that any of my Facebook friends realize that their Facebook posts and information are displayed on many sites around the Internet. Now, I had some questions answered, but many new questions:

  • How safe are social plugins?
  • How do I prevent others from seeing my Facebook status messages on sites across the web?
  • What protections does Facebook provide its members from shady website operators who abuse social plugins?
  • Does the Instant Personalization opt-out really work?
  • Are Instant Personalization and Social Plugins two separate programs?

Next, I read the Facebook Social Plugin FAQ page, which answered some of my questions. Some of the answers on this page I found to be, at best favorable to Facebook. Other answers I found to be, at worst, vague and misleading:

"What personal information is shared with sites that use social plugins?
None of your information -- your name or profile information, what you like, who your friends are, what they have liked, what they recommend -- is shared with external sites you visit with a plugin."

Huh? In the image above, the Facebook social plugin clearly displayed my friends' status messages, names, and profile photos at the Boston Globe site. That seems pretty personal to me. The FAQ page explains that the privacy settings for my account apply to these social plugin modules. So, if you allow "Everyone" to see your Facebook status messages and information, everyone can see it here, too. I set my privacy to "Friends Only," but I have no way to verify that Facebook complies with this with its social plugins.

Another section from the Social Plugin FAQ page:

"What information does Facebook receive about me when I visit a website with a Facebook social plug in?
When you visit a partner site, Facebook sees the date and time you visited, the web page you are on (commonly known as the URL), and other technical information about the IP address, browser, and operating system you use... If you are logged into Facebook, we also see your user ID number. We need your user ID to be able to show you the right social context on that site. For example, when you go to a partner website, we need to know who you are in order to show you what your Facebook friends have liked or recommended."

Reread this closely. The social plugins track your web usage at partner sites, whether or not you are signed in to Facebook. The page didn't explain if I could opt-out of this tracking. Perhaps most importantly:

"How do I opt-out of viewing social plugins?"
No data is shared about you with the website when you see a social plugin on an external website... If you would not like to see what your friends recommend or have shared on a website, simply log out of Facebook."

That is a partial answer. That answer tells me how to stop viewing my friends' Facebook information in sites with social plugins. It does not answer how I prevent others from seeing my Facebook information at sites with social plugins. To find the answer to this, I devised a little test.

I posted a couple of Facebook status messages that had links to content at the site. If the Instant Personalization opt-out mechanism at the Facebook site worked, my Facebook friends shouldn't see these posts in the social plugin module at the home page. Sadly, Bill and Michelle were able to see my Facebook status messages in the social plugin. Bill sent this image to me:

Boston Globe home page with my status message, as viewed by my friend, Bill.

Yes, that's my personal Facebook status message above -- the one with the "Boycott BP" profile image. This confirmed for me that the Instant Personalization opt-out mechanism does nothing to stop Facebook from displaying my information in its social plugin modules around the web. As best I can tell, Facebook members cannot opt-out of social plugins.

What all of this means for Facebook members:

  • The Instant Personalization opt-out mechanism does nothing about social plugins. The two are separate Facebook programs. It's easy to confuse the two programs because social plugins deliver content (e.g., Facebook status messages, "Likes," etc.) many consumers consider personal information
  • Facebook doesn't provide a Social Plugin opt-out mechanism so you can prevent others from viewing your Facebook status messages and Like information in social plugins modules at sites around the Internet. The only options are to deactivate your Facebook account or stop posting information to your Facebook account

What responsible company creates a program that its customers can't opt out of?

I can see the appeal of social plugins to website owners. It's a way for them to capitalize on the popularity of Facebook, and see if social plugins will bring them additional website visitors. In my opinion, the Boston Globe should have announced this feature or asked its readers if they really wanted it. The Globe website should have provided an explanation somewhere in its privacy and website usage policies.

Moreover, I have not and will not visit any websites other than to read my friends' status messages. Seeing some of their messages at sites like the Boston Globe doesn't do anything for me. It's a negative Boston Globe brand experience.

I spent two days researching, understanding and writing this blog post about Facebook Social Plugins. No company marketing program should be this complicated and convoluted = difficult to understand by users.

Next, the Facebook site needs to provide real, substantive FAQs. The questions seem made up and not real ones that consumers submitted. The answers need to be less vague and more accurate. If you can't opt-out of social plugins, then say so clearly. Also, consumers need to know how long their Facebook status messages are archived for display in social plugins. If the content is months old, it is useless. And, the program should be opt-in based. If it's that good, people will opt-in. If it's that bad, and few opt in, then Facebook shouldn't be doing it.

Moreover, the whole social plugins program seems slimy:

  • You Facebook status messages with links and Like information is already being used at sites with social plugins installed. Facebook doesn't provide a list of participating sites so there's no way to know unless you stumble upon a site, as Bill and I did. What's the big secret, Facebook?
  • Today, sites with social plugins installed seem to publish only those status messages that include links to the same site. Facebook could easily change that tomorrow.
  • There's no real, easy way for Facebook members to verify that social plugins perform as promised, and only display information consistent with their Facebook account privacy settings. What responsible company builds features its customers can't verify?
  • When you set your Facebook privacy settings, you have to do so knowing that (thanks to social plugins) people will see your Facebook status messages and Likes at both the Facebook site and at many sites around the Internet. Was that distinction clear to you when you set the privacy settings for your Facebook account? I'll bet it wasn't -- and you may want to change them now that you know this.
  • Facebook has built a feature where any website can install social plugins. Any. And the website doesn't have to tell you. How open, honest, and transparent is that?
  • The Social Plugins FAQ page doesn't address what happens when abuses occur. A key thing I've learned since I started this blog, is that there are both reputable and shady website operators. Facebook says that websites don't have access to the content in social plugin modules, but who is watching or verifying that? What happens when abuses occur?
  • For some bizarre reason, Facebook includes FAQ content about Instant Personalization and Social Plugins on the same page. It gives the impression that the two programs are connected, but they aren't. I'll bet that this gave many consumers, like Bill, the mistaken perception that opting out of Instant Personalization would prevent their content from displaying in social plugins. Why the rope-a-dope with FAQ content Facebook?

Previously, my trust in Facebook was low to zero. Learning all of this kept it there. My overall impression is that the latest privacy controls for consumers from Facebook don't really do much, as the company is working hard elsewhere to counter those new controls. A key example is the social plugin program. Skepticism abounds.

I would like to continue reading and to continue trusting the Boston Globe website, but unannounced features like this -- with no user control -- make trust difficult. DiNardo also mentioned that the New York Times website plans to introduce this Facebook "Like" feature soon. I hope not.

What is your opinion? Do other news websites you read have social plugins? Do you like it? Why or why not? If you read the Boston Globe online, what's your opinion? Should the New York Times site add social plugins?

The Latest Wellpoint Breach Affects 470,000 Nationwide

Just before the July 4th holiday weekend, details of the Wellpoint breach became known. Reportedly, a faulty online security update exposed the personal, financial, and medical information of about 470,000 consumers nationwide, including about 5,600 in Connecticut and 230,000 in California.

The breach victims included patients who used the company's web site to apply for individual health insurance through WellPoint subsidiaries (Anthem Blue Cross or Anthem Blue Cross and Blue Shield) in 10 states. The affected patients received letters from WellPoint during the last couple weeks.

WellPoint hired a computer company in October 2009 to update the security for its online application process, but that project left a security hole. Sometime after October, an applicant visited the site to determine the status of their application, and was able to view other applicants' information. The applicant hired an attorney, who replicated the security hole. WellPoint learned of the data breach in March 2010 when it received a subpoena as part of a class-action lawsuit.

The 10 states include California, Colorado, Connecticut, Indiana, Kentucky, Missouri, Nevada, New Hampshire, Ohio, and Wisconsin. The Connecticut Attorney General Office is investigating, wants WellPoint to provide breach victims with two years of free credit monitoring services, and a reply from WellPoint by July 9.

I checked the WellPoint press releases page at the WellPoint and strangely didn't see any mention of the breach. That is surprising, since most companies issue a press release after a data breach explaining what happened, what they are doing so the problem doesn't happen again, and how they are supporting breach victims. A lot of still unanswered about this breach.

This is important also because this breach was not the first by WellPoint, and the latest breach would have gone undetected if not for the help of an applicant. A March 2008 WellPoint breach affected 130,000 patients and a 2006 breach affected about 200,000 patients when backup computer tapes were stolen from a vendor.

Stumbling and Bumbling: Facebook Promises Users More Control Over Data Shared WIth Apps

Last week several news media sites announced the change by to provide its members with greater control over the user's information disclosed by apps. According to the Facebook blog:

"Today, we're taking the next step by providing more transparency and control over the information you share with third-party applications and websites with a new, simpler application authorization process."

Here's what the new authorization page for an app looks like:

New Facebook page with authorization for apps

This is simple alright. Too simple. Why? The page presents one authorization button for three different types of information. Seems to me there should be three check boxes so the Facebook member can select which information type(s) to authorize for an app.

Facebook's solution is all-or-none. You either approve the app or you don't. A minimal change from before.

I suspect this is a sneaky way to get members to authorize apps while claiming they are providing members with more control. Not!

What's your opinion of this?

The Strong Password Conundrum – Usability vs. Security

[Editor's Note: today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. She helps others improve their use of technology in their personal or professional life. Today, Michelle tackles a problem we all struggle with: managing our online passwords.]

By R. Michelle Green

There are several lovely columns online reviewing password management programs. This post is not one of them. This is about the journey: deciding whether you need a password program.

In 2005, I read Smart Computing’s article about password algorithms until my eyes glazed over about halfway through. I like codes and math, and even I didn’t want to do what they suggested. While reading Riva Richmond admit on Gagdgetwise to using the same password for everything gladdened my heart. I did fear for the internet’s hoi polloi: the ones with abc123 for a password. (Before you laugh, that’s 10th most common, based on a hacker’s posting of 32 million harvested passwords last December. The data has proven invaluable for research on password creation. Half of the top 10 most common passwords were numbers, ascending in order, starting with one.)

In fact, stop reading right now, go change your passwords if yours is on this list, and then come back.

I was in graduate school in 2005, and they had a cracker jack IT group. We had to change our passwords every 90 days. It was annoying as hell, even as I respected the reasoning. I learned to reuse the same strong password: start in the middle, do it backward or make ‘syllables’ out of it and reorder the syllables. In each case, my fingers still remembered the order, I just had to remember when to start and when to end. This technique uses more than one type of long-term memory. It takes the password problem out of episodic (unique experiences) memory, and puts it in the procedural (muscle memory) part. (See? Watch Castle, learn something.)

I was pretty proud of my techniques -- for a while.

Recently, I hit the tipping point. Five years later, I can no longer keep up with my own usernames and passwords. I thought I had a reasonably good system of usernames and passwords of varying strength. If I couldn’t remember the pairing, I usually had enough tries to hit the right combination. Worse come to worse, I could at least hit the right username and get a reset sent by email. With more and more sites asking for strong passwords longer than my go-to guys (and even strong usernames!), I was generating options faster than I could remember them. Even more annoying, some of the strongest passwords were being requested by sites where I keep no private information, just read published content.

Being Ms. Independent, I created a list using code and free cryptic that would make sense to me but no one else. I remain uneasy, however. I have usernames and passwords for over 35 online accounts now, with 8 e-mail addresses and counting (and I bet that status is nostalgic for some of you). Maybe it’s time for a more robust response. That means one of two things – a password algorithm simple enough to remember but still capable of creating passwords unique to each site; or a password management system.

This is not a trivial issue. In 2004, a young widow thrust her dead partner’s computer at me. “She said you’d know how to find her passwords.” The information was a major hurdle for the widow – their online commerce footprint even then was huge. I found the password list, but the scene nagged me – what if a foe, not a friend, had found the totally unprotected word document on her computer? Is this an issue that a Living Will should address? Where’s the right balance between writing your passwords out clearly (helpful for emergencies), and having an arcane rule in your head that no one could ever deduce (great for around-the-clock protection)?

Though I suspect I may have a password program one day soon, I remain a fan of the personally unique arcane algorithm. A common and robust online suggestion involves a sentence with personal meaning for you, with this root word modified per site. This method follows the line referenced by this blog’s host in an earlier post referencing password salting. Sheldon on "The Big Bang Theory" television show, for example, would probably like Ihb&asbYF.LL&P! as a root word. And you may note, I never told you what my rule actually is. A wise man said, the best-kept secret is the one you don’t tell anyone.

© 2010 R. Michelle Green. Reprinted with permission.

Celebrating Three Years Online!

Three years ago today, I started this blog. Since then, I've learned a lot about identity theft, fraud, privacy, and data breaches. This blog has been a good tool to organize what I have learned and the online resources I've found.

During the past few months, I have established new relationships with and PayPal. You can learn more about Adify on the Advertising page. If you like the content of this blog, you can send a contribution via PayPal. And, I have met some interesting people.

Some thank-you's are appropriate. First, I'd like to thank I've Been Mugged readers. Readership hit a new high of 18,000 monthly readers during May and remains strong. Over 50 people follow this blog on Facebook, and over 300 people follow this blog on Twitter.

April was a particularly busy month as many readers submitted comments. I am grateful for your readership and for the comments. We have explored many interesting topics, and will continue to do so.

Second, I'd like to thank the bloggers and the consumer advocates I've met online. Without their suggestions and encouragement, The quality of I've Been Mugged posts wouldn't be as high as it has been. Some bloggers I'd like to thank by name: John Taylor, Lori Magno, Diane Danielson, Michael Krigsman, Drew McLelland, KeyFrame5 Studios, the Baseline Scenario, Lynne Viera, Ryan Barrett, and Ronni Bennett (who leads by example far more than she realizes).

Third, I'd like to thank my guest authors, Bill Seebeck, and R. Michelle Green, for their interesting, insightful and provocative posts.

Fourth, I'd like to thank the Privacy Crusaders. If you know who they are, then you know the good they've done.

Fifth, I'd like to thank the executives at Facebook.comm for providing a seemingly never-ending source of privacy issues to write about.

Sixth, I'd like to thank IBM for losing my sensitive personal data during their February 2007 data breach. That incident caused me to start blogging. The more I learned about data breaches and the way companies assist (or don't) their data-breach victims, the more I realized that I had to do something. Rather than be angry, blogging seemed like a healthy and appropriate response.

If you haven't noticed yet, I named this blog in honor of the company that exposed my sensitive personal data. I've Been Mugged = IBM.

And, I especially want to thank my wife, Alison. Without her support and flexibility, I couldn't write I've Been Mugged.

What's next for the coming year? There's plenty to write about. I am sure that "locational privacy" and medical identity theft will become a hotter topics, along with data breaches, privacy, and areas where corporate responsibility is lagging. Of course, there are the ongoing issues such as behavioral advertising and identity-theft legislation.

We will continue to report on issues that affect consumers, like changes by the big banks in response to the new federal financial reform legislation. And, we'll sprinkle in some identity-theft humor, since it's never all doom and gloom.

If there is a topic you want covered, suggest it below in a comment below.

George Jenkins
Founder and Editor
I've Been Mugged blog