Previous month:
October 2012
Next month:
December 2012

13 posts from November 2012

Legit Email Or Scam? Legit Text Message Or Scam? What To Do Next

Recently, I received the following email message from a relative:

Sent: Thursday, November 01, 2012 11:30 AM
To: undisclosed recipients:
Subject: Manila, Philippines : (Sad News) : Shirley XXXXXXXXXX

Just hoping this message reaches you... Well, I'm sorry for this emergency and for not informing you about my urgent trip to Manila, Philippines but I just have to let you know my present predicament... Everything was fine until I was attacked on my way back to the hotel, i wasn't hurt but I lost my money, bank cards, mobile phone and my bag in the course of this attack.. I immediately contacted my bank in order to block my cards and also made a report at the nearest police station. I've been to the embassy and they are helping me with my documentation so i can fly out but I'm urgently in need of some help from you to pay up my hotel bills and my flight ticket back home... My return flight back home is scheduled to leave in few hours from now... Please i need your help..."

The bottom of the email had the person's standard, valid signature with her office contact information. Legit email or scam?

To me, it read like a scam. My relative uses much better punctuation and grammar. Plus, I didn't think she was traveling abroad. So, the simple next step was to call her via a land-line phone or other separate method to confirm things.

I called her, left a voice mail message, and she replied via email a day later. She confirmed that she was not traveling abroad, and that heer email account had been hacked.

Identity thieves and scam artists are creative and persistent. There are a variety of "phishing" (e.g., email) scams and "smishing" (text message) scams. Learn to recognize them. Remember, you can always call the company directly and confirm whether or not they sent the suspect text message (or email).

So, a word to the wise. When you receive a suspect communication, confirm it with the person (or company) first via an alternate method. If you receive a suspect text message, call or email the person. If you receive a suspect email, call the person. Even better, talk with them in person.

While waiting for the person to reply, you can always check one of the hoax websites, like Snopes. Your telephone company's website probably lists the types of phone and text scams that have been reported. Your Internet service provider's website probably lists the types of email scams that have been reported.

If you use Facebook, then the Facecrooks site is a good source to verify suspect messages and apps that abuse your privacy.

Infographic: How Credit Reporting Agencies Get Your Information For Their Credit Reports

The infographic below is from the folks at Credit Sesame:

Inforgraphic: how information ends up on your credit file

You may also find the following articles of interest:

Giving Thanks Where Thanks Are Due: The Privacy Crusader

Readers of this blog know that I've written about several high-profile data breaches and the class-action lawsuits associated with them. As the Thanksgiving holiday approaches here in the United States, it is time to give thanks where thanks are due.

I would like to give a warm, heartfelt thanks to the Privacy Crusader, attorney Joseph Malley, for all of his hard work protecting consumers -- both adults and children. You may not know of all of the cases he has been involved in, and the results:

Class ActionYearResults
1. Stealth tracking of Safari browser users class-action / Villegas et al v. Google and Google Inc. Cookie Placement Consumer Privacy Litigation
2012 Several class-action combined. Selected as co-lead counsel
2. Mobile app collects address book data without notice nor consent / Hernandez et al v. Path 2012 Federal judge rules class action can proceed on several counts
3. Zombie E-tags / Couch et. al. v Space Pencil (DBA KISSmetrics) and Hulu
2011-12 KISSmetrics to pay about $500,000 to settle
4. Mobile apps tracking children / Hines et al. v OpenFeint
2011 Lorem ipsum
5. Hillman et al. v Ringleader et al
2010-11 Ringleader may have ceased operations
6. Zombie cookies tracking / Valdez et al. v Quantcast et al.
2010 Quantcast pays $2.4 million to settle
7. Simon et al. v. Adzilla et al.
2009-10 Adzilla quietly settles
8. Deep packet inspection / Valentine et al. v NebuAd et. al.
2008-09 NebuAd closes after lawsuit and lost clients
9. Facebook Beacon Program / Lane et al. v Facebook et al.
2009-10 Facebook settles for $9.5 million

When the U.S. Congress fails to provide timely, appropriate legislation to protect consumers, it is a perfectly natural result for consumers to band together legally to protect themselves and their sensitive personal information; regardless of companies that insert clauses in their service agreements that limit consumers' rights by preventing class-action suits.

If you are a consumer who has suffered from a company data breach or privacy abuse, you now know who to call.

Data Breach At Nationwide Insurance Affects More Than 28,000 Consumers In Georgia

On Monday, the State of Georgia Insurance Commissioner (GADOI) confirmed a data breach at Nationwide Insurance. Hackers gained unauthorized access to private and sensitive information at the company's online computers.

The announcement contained few details. It did not list the specific personal data elements stolen or exposed, nor explain how the breach happened and what the insurance company is doing so this breach won't happen again.

About 28,467 Georgia residents and policyholders were affected. The insurance company has agreed to:

  • Provide the GADOI with copies of written breach notices sent to affected consumers,
  • Set up a toll-free phone number (800-760-1125) for breach victims to ask questions, and
  • Provide breach victims with at least one year of free credit monitoring services

Some news sources reported that the F.B.I. is investigating the breach. Another news source reported that names, birth dates, drivers license numbers, and marital statuses were stolen. Given the personal data elements stolen, the hackers can do damage.

This is not the first data breach at Nationwide. A check of the breach database at Privacy Rights Clearinghouse found that the insurance company had two small breaches (Florida and New York) during 2007 where laptops containing sensitive personal information were stolen from employee's cars. In 2006, Nationwide was one of severalinsurers affected by a lockbox theft at Concentra Preferred Systems in Ohio.

The insurance company has not disclosed the number of affected consumers in other states. More details will emerge and the number of breach victims will most likely increase since several states require notice of data breaches.

Safe Shopping Tips For 'Black Friday' And The Holidays

You have probably read or heard about it in either the print, television, or radio advertisements. Many retailers will open early Thanksgiving day night to start the long weekend of shopping including what many refer to as "Black Friday." If you plan to shop, know your rights and shopping tips so you don't get "mugged" by excessive fees.

To help consumers, the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) has developed a holiday shopping guide that explains consumers' rights, the actions retailers are allowed, and shopping tips for the best experience. For example:

"Sale: For the term "sale" to be used in an ad when the actual savings are not stated, the law requires the savings to be at least 10% for items regularly priced $200 or less, and at least 5% for items over $200."

"Restocking Fee: This is a charge deducted from the purchase price when an item is returned, resulting in a partial refund. Sellers must disclose their return policies, including restocking fees, before the initial transaction is completed."

"Layaway: A plan that allows you to pay for a product in installments and receive the merchandise after you have paid in full. A store must fully disclose its policy on layaway plans, including cancellation and return (or non-return) of payments already made."

"Know the seller: Purchasing from a seller you know and trust is the best way to ensure an excellent shopping experience. For unknown web-sites, use an online store review service such as Epinions, BizRate, the Better Business Bureau..."

"Shop smart with a Smartphone: Smartphones allow consumers to keep track of deals, navigate between stores, and compare prices. Check out apps such as Consumer Reports Mobile Shopper and Google Shopper..."

To read the full list of right and tips for consumers, download the "Black Friday Shoppers Guide" (Adobe PDF) or this mobile-friendly version of the same report. Rules for retailers in other states may vary. Check with the consumer affairs agency in your state.

Related posts:

NASA Data Breach Affects About 10,000 Employees And Contractors

Last week, the National Aeronautics and Space Administration (NASA) announced a data breach on October 31 where an employee's laptop computer was stolen from a locked car. The laptop contained the sensitive personal information for about 10,000 employees and contractors.

NASA first notified all of its employees in an e-mail message. The agency has contracted with ID Experts to provide free credit monitoring and fraud resolution services for breach victims. In the e-mail message, the agency warned that it make take up to sixty (60) days to notify all affected persons.

The stolen laptop was password protected, but did not have full disk encryption. As a result of the data breach, the agency has mandated that any laptops removed the its offices contain full disk encryption:

"The Administrator and the Chief Information Officer (CIO) have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted. This applies to laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data."

The agency expects to encrypt all laptops by by December 21, 2012 after which any laptops removed from its offices will have all data encrypted, whether or not that laptop contains sensitive information.

Mintz Levin Updates Its Listing of States Data Breach Notification Laws

Recently, Mintz Levin updated its listing of states data breach notification laws. The listing, often referred to as the "Mintz Matrix" (Adobe PDF), summarizes the data breach notification laws for 46 states, plus the District of Colombia, the U.S. Virgin Islands, and Puerto Rico.

Within the past few months, the states of Texas and Connecticut have amended their breach notification laws. Alabama, Kentucky, New Mexico and South Dakota do not have any laws about data breach notifications.

Breach notification laws typically describe the kinds of data elements (e.g., Social Security number) that comprise consumers' sensitive personal information, the format (e.g., paper, electronic) of information covered by the laws, the types of information that must be encrypted, the types of businesses and government entities covered by the state's law, and both the time period and methods by which notification must be provided to consumers affected by the data breach.

Mintz Levin is a law firm focusing upon general business, intellectual property, biotechnology, litigation, telecommunications, regulatory issues, and financial planning. Earlier this month, former Massachusetts Governor William F. Weld joined the firm.

Microsoft Adds No-Class-Action Clause To Its Services Agreement

During the weekend, I spent some time reading the new Microsoft Services Agreement, which includes a clause prohibiting users from suing the company in a class-action lawsuit. Microsoft updated its agreement on August 19, 2012 and the new clauses wnet into effect on October 19. 2012. The new no-class-action clause is important because it affects consumers' rights to sue collectively.

The updated agreement:


If you use any of the following Microsoft services, then this applies to you: Microsoft Hotmail, Microsoft SkyDrive, Microsoft account, Windows Live Messenger, Windows Photo Gallery, Windows Movie Maker, Microsoft Mail Desktop, Windows Live Writer Bing, MSN,, and any other Microsoft products or services that refer to this service agreement. A portion of the new clause:

"This section applies to any dispute EXCEPT IT DOESN'T INCLUDE A DISPUTE RELATING TO THE ENFORCEMENT OR VALIDITY OF YOUR, MICROSOFT’S, OR EITHER OF OUR LICENSORS’ INTELLECTUAL PROPERTY RIGHTS. The term “dispute” means any dispute, action, or other controversy between you and Microsoft concerning the services (including their price) or this agreement... In the event of a dispute, you or Microsoft must give the other a Notice of Dispute, which is a written statement that sets forth the name, address, and contact information of the party giving it, the facts giving rise to the dispute, and the relief requested. You must send any Notice of Dispute by U.S. Mail to Microsoft Corporation, ATTN: LCA ARBITRATION, One Microsoft Way, Redmond, WA 98052-6399, US. A form is available on the Legal and Corporate Affairs (LCA)website..."

This is also important for several reasons. First, because it limits consumers' rights. Class-action lawsuits are one method available to consumers when state, local, or federal laws provide no or insufficient protections. Examples include new marketing programs or data breaches that fail to protect users' sensitive personal information.

Second, Microsoft is one of several companies that have included no-class-action lawsuits in their service agreements. The MediaPost Daily Examiner reported:

"Since the Supreme Court upheld AT&T's mandatory arbitration clause last year, more and more tech companies -- including Netflix, eBay, and Paypal -- are revising their terms of service to provide that consumers have no right to bring class-actions."

Of course, companies have a write to add clauses into their agreements, where allowed by federal, state, or local laws. And consumers have a right to accept or reject new clauses like this.

Companies with no-class-action clauses are effectively saying publicly that they want to limit their liability when bad things happen. For consumers that prefer products andr services that stands by their users when bad things happen, this new clause means you should shop around for an alternative.

What is your opinion of the new clause?

Class Action Settlement Proceeds With Bank Of America Credit Protection Service Customers

Back in August 2012, Bank of America agreed to pay $20 million to settle a class-action lawsuit about alleged deceptive marketing with its credit protection services. Also in August, the bank announced that it had decided to independently stop accepting new customers for its credit protection services and to terminate its credit protection services in 2013.

Recently, a relative received the postcard below from Gilardi & Company LLC, the administrator for the class-action settlement. Because the reply mechanism with the postcard asked for sensitive personal information, that relative asked me to investigate:

Settlement notification postcard side 1

Settlement notification postcard side 2

Gilardi has set up for consumers who subscribed to a credit protection service from Bank of America between January 1, 2006 and July 17, 2012. You may be eligible for a payment, which could be $50 or $100 depending upon your situation. You must submit a claim to receive payment. Key upcoming deadline dates:

  • December 13, 2012 to opt out of the settlement agreement
  • December 13, 2012 to submit objections about why you do not like the settlement agreement
  • January 14, 2013: Fairness Hearing
  • February 26, 2013 to submit a claim

What You Need To Know About Facial Recognition Software And Best Practices Recommended By The FTC

If you use a social networking website like Facebook, then this applies to you. In October, the U.S. Federal Trade Commission (FTC) released a report that included best practices for companies that use facial recognition software with consumer information. Besides the best practices, the report, "Face Facts: Best Practices For Common Uses Of Facial Recognition Technologies" also includes reviews of the facial recognition technologies and sample application.

If you are a member, then you may be aware of how that social networking service uses facial recognition software. Facebook uses the software to help its users identify their friends in photographs, and to encourage its members to "tag" or verify their friends in those photographs.

While traveling recently, I experienced another way Facebook uses facial recognition software. While signing in from a different location in another state, the software challenged my sign-in. I could sign in using a code (since I had both Log-in Approvals and Log-in Notifications enabled), or identify my friends in several photographs. I chose the latter to see how the software works.

The FTC developed its report from a December 8, 2011 workshop and from comments submitted by the public and stakeholders about both the technologies and privacy concerns. The report described several ways the facial recognition software can be used:

"... Facial recognition technologies currently operate across a spectrum ranging from facial detection, which simply means detecting a face in an image, to individual identification, in which an image of an individual is matched with another image of the same individual... In between these two divergent uses are a range of possibilities that include determining the demographic characteristics of a face, such as age range and gender, and recognizing emotions from facial expressions... One company – called SceneTap – has also leveraged the ability to capture age range and gender to determine the demographics of the clientele of bars and nightclubs"

Given this, companies can (and do) use the software to compile from photographs personal data about individuals such gender, age, emotions, location, economic status and connections with other persons. Consider that group photo at a friend's wedding at a private golf course which you posted online, or a group photo at a college reunion. Consider video games like Xbox 360 Kinect that can "see" you. The gaming software can easily be modified to also capture and anlyze your face. Or, consider digital signs or kiosks that are located everywhere from malls to stores to schools to sports arenas:

"... technologies that can determine the gender and age range of the person standing in front of a camera can be placed into digital signs or kiosks, allowing advertisers to deliver an advertisement in real-time based on the demographic of the viewer... Unless these signs are labeled, they often look no different to consumers than digital signs that are not equipped with cameras. Panelists representing companies that currently use facial recognition technologies similarly acknowledged that there are privacy concerns surrounding the use of these technologies..."

It was good to read that a couple industry groups have developed guidelines for the use of digital signs (links added):

"... Point of Purchase Advertising International’s Digital Signage Group (“POPAI”) has developed a code of conduct containing recommendations for marketers to follow in order to maintain ethical data collection practices in retail settings. Similarly, the Digital Signage Federation worked with the Center for Democracy and Technology to craft a voluntary set of privacy guidelines for their members, which include advertisers and digital sign operators..."

I have not reviewed (yet) the documents from these two groups. I hope that it covers both usage and data security to prevent hacked digital signs used by identity criminals. The best practices recommended by the FTC:

"1. Privacy by Design: Companies should build in privacy at every stage of product development.

2. Simplified Consumer Choice: For practices that are not consistent with the context of a transaction or a consumer’s relationship with a business, companies should provide consumers with choices at a relevant time and context.

3. Transparency: Companies should make information collection and use practices transparent."

This list is a good start. However, there are many questions related about the appropriate use of facial recognition technology. Connecticut Senator Richard Blumenthal asked some good questions (bold emphasis added):

"Will a social networking site that uses facial recognition technology to tag friends in photos allow third-party apps to access this face data or create its own data sets from your pictures? Will a store that uses facial recognition technology to identify shoppers check that information against other consumer data to predict customers’ income levels and direct them toward or away from certain products?"

And, should facial recognition be used on children and minors? Should digital signs scan and archive children's facial data? If so, beginning at what age: 13, 14, 18, or all starting at birth? What about facial injuries and medical conditions?

The above recommended best practices lists the items consumers should look for in the privacy policy and/or terms of conditions policy for a website or mobile app. I wish that it had said more about mobile apps, and had attempted to resolve situations where there are several, competing privacy policies (e.g., smart phone users have privacy policies by the mobile device manufacturer, the developer of the operating system for that device, the telecommunications provider, the app developer, and the app store operator). I found the following section of the FTC report particularly important, since it helps consumers evaluate companies that adequately protect your sensitive personal data and privacy:

"... there are at least two scenarios in which companies should obtain consumers’ affirmative express consent before collecting or using biometric data from facial images. First, they should obtain a consumer’s affirmative express consent before using a consumer’s image or any biometric data derived from that image in a materially different manner than they represented when they collected the data. Second, companies should not use facial recognition to identify anonymous images of a consumer to someone who could not otherwise identify him or her, without obtaining the consumer’s affirmative express consent... increased consumer education about the use of facial recognition technologies is of paramount importance and that all stakeholders – including industry, trade associations, consumer and privacy groups, and government entities – should engage in consumer education efforts..."

For privacy reasons, some of my Facebook friends have told me it's okay to post photos about them, but do not tag them in photos. I have my Facebook privacy controls set to review all tags of me in photographs by my friends, which I can either approve or reject.

Download the FTC "Face Facts" report (Adobe PDF). Learn more about the POPAI Digital Signage Group.

South Carolina Officials Say 657,000 Businesses Also Affected By Data Breach

The South Carolina data breach that affected 3.6 million consumers is more extensive than originally announced. On Wednesday October 31, state updated their breach announcement with 657,000 businesses also affected. The update also included 620,000 phone calls to Experian by consumers seeking breach information, and about 418,000 consumers have signed up for one year of free Experian ProtectMyID service.

The State also expanded the assistance it is providing both businesses and individuals affected by the breach. Starting today, Friday, South Carolina offers for free to businesses that have filed a state tax return since 1998 the CreditAlert services from Dun & Bradstreet Credibility Corporation. CreditAlert will notify business customers of changes to their business credit file, such as a business address change, or a company officer change. Business owners can visit or call CreditAlert customer service toll free at 1-800-279-9881.

The state is also offering to affected South Carolina businesses the Business Credit Advantage from Experian, which provides unlimited access to a company’s business credit report and score. Interested businesses can sign up for Business Credit Advantage at Businesseshave until December 1, 2012 to sign up.

The state also announced expanded assistance for individuals. Free fraud resolution services are extended past one year, and individuals with children can sign up for the "Family Secure Plan" to protect the Social Security numbers and sensitive personal information of minors and children also exposed/stolen during the data breach. Consumers have until January 31, 2013 to sign up.

The fact that businesses were also found to have been impacted by the breach, suggests that the breach inivestigaton is ongoing: determining the entitites affected, the data elements stolen, and how the unauthorized access and theft was performed technically. As reported by The State:

"Like other S.C. taxpayers, state businesses will be able to get free credit monitoring. But companies will get longer coverage. Businesses that have filed state taxes since 1998 can sign up for lifetime record monitoring from Experian starting [Thursday] and Dun & Bradstreet starting Friday. Consumers can get one year of monitoring and insurance from Experian, paid for by the state."

Why the longer coverage for businesses? The threat to both from identity criminals does not magically end after one year. Of course, businesses have more money, on average, than individuals. I look forward to hearing more from the state about why they chose to give businesses longer coverage for free. It suggests that the state has not finished improving its data security methods and systems.

If you are new to the issue of identity theft and fraud, then the alert services and credit monitoring service will likely help you get started and learn how to protect your sensitive personal information. However, it won't stop all identity fraud, so the value is in the fraud resolution services.

Are you a South Carolina resident or business owner? We'd like to hear about your experiences with the ProtectMyID, CreditAlert, or Business Credit Advantage services.

California Attorney General Notifies Developers Of Mobile Apps In Violation Of State Privacy Laws

Earlier this week, the State Of California Attorney General (AG), Kamala Harris, announced that her office had begun notifying mobile device app developers that were in violation of state privacy laws:

"The companies were given 30 days to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information. Letters will be sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms."

Last week, the California AG had notified United Airlines about its mobile app. Other companies warned include Delta Air Lines and OpenTable Inc..

The letters are part of enforcement of the California Online Privacy Protection Act, which requires operators of online services (e.g., mobile device apps and apps at social networking sites) that collect personally identifiable information from California residents to conspicuously post a privacy policy. Operators not in compliance face fines of up to $2,500 for each download of a non-compliant app.

Reportedly, non-compliant app developers and app store operators could also be prosecuted under the California Unfair Competition Law and/or False Advertising Law, with fines up to $500,000 per use of a non-compliant app.

This should not be a surprise, given the law and given the February 2012 global agreement between the California AG and several technology companies -- Amazon, Apple, Google, Hewlett-Packard, Microsoft, Amazon, and Research In Motion -- to require mobile app developers to post privacy policies.

This is really good news for consumers who have become increasingly reliant upon mobile devices. Past studies have documented sporadic and poor access to privacy policies by mobile device apps both before and after installation. Once again, California leads the way in protections for consumers.