Previous month:
August 2013
Next month:
October 2013

19 posts from September 2013

LexisNexis And Other Major Data Brokers Hacked By Identity Theft Service

Lexis Nexis logo Late last week, the Krebs On Security blog reported that several major data brokers were hacked by ID Theft Service, with malware planted on their Internet-connected computers to steal consumers' sensitive personal information. These major data brokers sell information such as consumers' address, Social Security Numbers, dates of birth, credit information, and background reports -- information often used by potential employers for verification tasks.

The whole sordid affair revolves around this identity theft service's website:

"... ssndob[dot]ms... has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks..."

Ssndob[dor]ms (a/k/a SSNDOB) never revealed the sources of the information in its database, but after a series of hacks during 2013:

"... the source of the data sold by SSNDOB has remained a mystery. That mystery began to unravel in March 2013, when teenage hackers allegedly associated with the hacktivist group UGNazi showed just how deeply the service’s access went. The young hackers used SSNDOB to collect data for, a Web site that listed the SSNs, birthdays, phone numbers, current and previous addresses for dozens of top celebrities... But late last month, an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet... This botnet appears to have been in direct communications with internal systems at several large data brokers..."

A botnet is a group of hacked computers controlled remotely by identity thieves. Each hacked computer in the botnet has malware installed on it, which allows the thieves to direct the computer to perform certain tasks. Often, the victims are unaware of the malware and activity performed by their hacked computers.

In this instance, the tasks appear to have been to copy and transmit consumers' sensitive personal and financial information. In this instance, the hacked computers, or servers, are owned by three major data brokers: Lexis-Nexis, Dun & Bradstreet (D&B), and Kroll Background America.

Krebs On Security described the sophisticated botnet malware on the hacked servers:

"... it was carefully engineered to avoid detection by antivirus tools. A review of the bot malware in early September using gave it a clean bill of health: none of the 46 top anti-malware tools on the market today detected it as malicious (as of publication, the malware is currently detected by 6 out of 46 anti-malware tools at Virustotal)."

Consumers should know that all three companies collect consumers' sensitive personal and financial information. Reportedly, the data brokers are working with both law enforcement and technology vendors to investigate the extent of the data breaches. So, this story is far from finished.

These data breaches and data brokers -- where plenty of consumers' sensitive personal and financial information are stolen -- are huge problems because of a lot of today's business, including online activity, rests upon the assumption that only the real you knows your Social Security Number and related identifying information. The background verification systems sold by data brokers have been built upon this assumption. The Washington Post's Andrea Peterson summarized the problem:

"... anyone who has access to a comprehensive database that contains this kind of information can impersonate you."

This make data security by data brokers even more important. So, the data security failures in these breaches are huge and not to be under-estimated. Unfortunately, this is not the first data breach at LexisNexis. A 2005 data breach at LexisNexis included the theft of 310,000 records about consumers. A 2009 breach at LexisNexis affected 40,000 persons. Another, separate data breach in 2009 allegedly had ties to organized crime.

Readers of this blog may remember that during 2007, after my sensitive personal information was exposed/stolen during a 2007 data breach at IBM. IBM hired Kroll for its post-breach response. During the mid-1980's i worked for three years at Lexis-Nexis headquarters in Dayton, Ohio as a marketing manager. Attorneys, in both law firms and corporation legal departments, use Lexis-Nexis frequently for both legal and business research.

In 2007, this blog reviewed ChoicePoint. LexisNexis acquired ChoicePoint in 2008.In 2006, ChoicePoint settled with the FTC and paid about $15 million, the largest civil fine at that time for a data breach. At least 800 cases of identity theft and fraud resulted from the breach. The fine resulted from an investigation where the company sold the credit histories of 163,00 consumers to business clients that didn't have a legitimate purpose to use that information; and the company failed to provide adequate data security -- both as required by federal law.

I was surprised that Kroll's servers were hacked. Kroll's reputation is based upon it being a knowledgeable and technically savvy vendor skilled at data security.

{October 2, 2013 update: the Russian hackers also accessed stole data from the National White Collar Crime Center.]

8 Sentences That Drive Employees Crazy

Recently, Inc. Magazine published an article titled, "8 Sentences That Drive Bosses Crazy." It's only fair to provide a similar list of statements frequently said by bosses (and employers). So, today's blog post presents 8 sentences bosses (or employers) that drive employees crazy -- given the focus of this blog on identity theft, privacy, wage abuse, and corporate responsibility.

Being an employee isn't easy today. Bosses demand more work in less time. Employees usually have to juggle multiple, simultaneous projects with deadlines that seem to get shorter and shorter. Often, employees must satisfy the needs of multiple bosses; some in the same chain of command. Plus, bosses in other departments frequently provide feedback into employees' annual performance reviews.

If you are an employee, perhaps you have heard your boss say one or more of the sentences below. If you are a boss or senior-level executive, these are eight sentences, or situations, you want to avoid.

1. "Do the job exactly as I tell you to do it."

Okay. While you are unquestionably the boss, we also know our jobs very well; especially if we have long tenure. You may have performed our job years or decades ago. Things change. We have minds. We often innovate. Respect your staff and employees for that.

2. "This is my idea so I get full credit for it."

Good ideas are essential, but a boss is part of the team they manage. It may have been the boss' idea, but the staff probably implemented it. Respect your staff by giving credit for both the idea and the implementation. Respect your staff and they will work hard for you. Respect is earned. So, if you want and expect the respect of the employees that work for you, then you had better work to earn it.

3. "Pay checks will be late."

We employees understand that business is tough. Just as bosses expect employees to arrive on time for work, we employees expect bosses (and employers) to pay us on time. Timely payroll is a responsibility and commitment. Find a way to pay your employees fully, accurately, and on time. Do not ask which employees can wait to be paid. Do not ask which employees can accept a partial paycheck. Do not skip final paychecks. Our creditors (e.g.,landlords, utilities, banks) expect us to pay their bilto on time.

If you can't pay your employees, then you are telling us that either you don't have the money to pay us or you choose not to pay us. Neither is good. Both suggest that you may not know how to manage your business as well as you think. Both suggest to employees to look for another job. You might find the cash to pay us by reducing the huge salaries and/or bonuses of your senior executives.

4. "Yes it's 4:00 pm on Saturday, but I need you to do this work now."

This can be a phone call, e-mail message, or text message. If we employees normally work weekends, then the request is fine. Otherwise, it is disrespectful. We have lives, including family members that need our time and attention. Our job as employees is to do the work. Your job as boss is to plan ahead and clear obstacles so we can complete our work on time, accurately, as expected during normal business hours.

5. "We'll investigate the problems you reported about the company's 401-K retirement plan."

Employees never want to hear this. We know that business is tough, and we expect the company to make timely contributions to employees' retirement plan accounts as the law provides. The company retirement plan is not your private cash or slush fund. If employees first found problems with your retirement plan contributions, then your credibility is already suspect because you didn't find the problem and notify your employees. We expect any problems to be investigated and resolved immediately and completely, with a correction plan implemented fully and quickly. Don't delay. Don't make excuses. Both further erode your already weak credibility.

6. "Our company had a data breach, and your personal data was exposed."

We employees understand that business is tough, and there are lots of bad guys out there. It is the company's responsibility to adequately protect the sensitive personal information it has collected about of employees, contractors, and former employees. Don't cut corners on data security just to save money. Don't make us pay monthly fees for credit monitoring services because of data you failed to protect. And, don't say our sensitive personal was "exposed." It probably was stolen. You know that. We know that. Identity thieves and criminals steal identity information so they can use it, or sell it, to make money.

7. "We don't have the money to pay for upgrades to the latest software."

You hired your employees to do a quality job. Don't hamper our ability to get the job done at the quality level you expect. Do not place obstacles in our way. If you can't afford to pay for software upgrades, you are indicating that you may not know how to manage your business as well as you think. Provide your employees with the appropriate tools. Your competition does. Don't delay or make excuses. Both erode your credibility.

8. "Oops, I forgot to tell you about that."

Employees don't like surprises either. (See statements #3, 5, and 6.) We work hard to do our jobs done on time in the high-quality manner you expect. It's better to communicate openly, honestly, and directly. We know our jobs best and can often see inter-dependencies or obstacles you may not understand nor see as quickly.

New York Attorney General Announces Agreements With 19 Companies To Pay Fines And Stop Fake Online Reviews

On Monday, the New York State Attorney General announced agreements with 19 companies to stop their practice of submitting fake reviews at many social networking websites. The year-long undercover investigation, code named "Operation Clean Turf," found:

"... the manipulation of consumer-review websites... companies had flooded the Internet with fake consumer reviews on websites such as Yelp, Google Local, and CitySearch... many of these companies used techniques to hide their identities, such as creating fake online profiles on consumer review websites and paying freelance writers from as far away as the Philippines, Bangladesh and Eastern Europe for $1 to $10 per review. By producing fake reviews, these companies violated multiple state laws against false advertising and engaged in illegal and deceptive business practices."

The agreements, called Assurances Of Discontinuance, require the 19 companies to pay more than $350,000 in fines. Fines for individual companies ranged from $2,500 to about $100,000.

Some of the defendant companies involved were Search Engine Optimization (SEO) firms. SEO firms help client companies' websites appear on the first page of search results at search engines such as Google, Yahoo, and Bing. The SEO firms also offered reputation management services which included "astroturfing" -- a form of fake advertising where a company prepares and/or distributes fake reviews where reasonable consumers would believe those reviews to be from a neutral, third-party. Some SEO firms also changed the IP addresses of users' computers submitting fake reviews to avoid the filters at social netowrking websites to reject fake reviews.

The SEO companies that agreed to stop their astroturfing activities (bold emphasis added):

"Zamdel, Inc., d/b/a eBoxed, a search engine optimization company based in New York City, which posted more than 1,500 fake reviews of clients on consumer-review websites such as, Google Places, Yahoo! Local, Citysearch, Judy's Book and"

"XVIO, Inc., another search engine optimization company based in New York city, which posted hundreds of fake reviews of clients on consumer-review websites. XVIO also conducted a "secret shopper" campaign where its agents received free or discounted goods and services from XVIO's clients in exchange for a review. However, the reviewers were encouraged to post on consumer-review websites only if they were positive, the "secret shopper" did not disclose that he or she had received a free or discounted product or service..."

"Laser Cosmetica, the now-former owner of this well-known laser hair-removal business with multiple locations in the tri-state area orchestrated an astroturfing campaign, hiring an SEO company that posted fake reviews on consumer-review websites, and instructed employees and friends to write fake reviews on consumer-review websites. They also offered discounts on services in exchange for online reviews, without requiring the customer to disclose the gift in the review."

"US Coachways, Inc. The management of this leading national bus charter company based in Staten Island, NY orchestrated an astroturfing campaign, writing bogus reviews themselves, soliciting freelance writers from and to write bogus reviews, and urging employees to pose as customers and write positive reviews..."

"Swam Media Group, Inc. and Scores Media Group, LLC. The manager of this licensee of the Scores gentlemen's club franchise orchestrated an astroturfing campaign with the help of a freelance writer that resulted in 175 fake reviews of entertainers at the Scores adult club in New York City and an affiliated website,"

The companies that signed Assurance of Discontinuance agreements included:

  1. A&E Wig Fashions, Inc. d/b/a A&E and NYS Surgery Center 
  2. A.H. Dental P.C. d/b/a Platinum Dental
  3. Body Laser Spa Inc.
  4. The Block Group, LLC, d/b/a Laser Cosmetica and LC MedSpa, LLC
  5. Bread and Butter NY, LLC d/b/a La Pomme Nightclub and Events Space
  6. Envision MT Corp.
  7. iSEOiSEO
  8. Medical Message Clinic and
  9. Metamorphosis Day Spa, Inc.
  10. Outer Beauty, P.C., Lite Touch Plastic Surgery, P.C., Staten Island Special Surgery, P.C., Sans Pareil Surgical, PLLC
  11. Stillwater Media Group
  12. Swan Media Group, Inc. and Scores Media Group, LLC
  13. US Coachways Limousine, Inc. and US Coachways, Inc.
  14. Utilities International, Inc. d/b/a Main Street Host
  15. The Web Empire, LLC
  16. Webtools, LLC and Webtools Internet Solutions Ltd.
  17. West Village Teeth Whitening Service, LLC; Magic Smile, Inc., aka Magic Smile
  18. XVIO, Inc.
  19. Zamdel, Inc. d/b/a eBoxed

Congratulations to the New York State Attorney General, and his investigative team, for putting a stop to this business practice in New York State. Now, attorney generals in other states also need to take action.

More Unintended Consequences From Massive NSA Surveillance

The Informed Comment blog recently discussed the cancelled visit to Washington, DC by the Brazilian President due to the massive NSA government surveillance activity. Also in response the surveillance, the Brazilian government is considering hosting its own Internet-connected servers so its citizens can avoid the surveillance programs. The Informed Comment blog highlighted the dangers of this:

"The internet works because each node or connection point is equidistant from all other nodes or connection points. If national bottlenecks are created, it could destroy net neutrality and interfere with international searching and communication. By being greedy for big global data, the NSA may have killed the goose that lays the golden egg.At the same time, knowledge of NSA tactics encourages other governments also to put their populations under intensive electronic surveillance..."

If other countries do the same as Brazil, it will indeed kill the Internet.

JPMorgan Chase To Pay About $1 Billion in Fines To Settle Charges By Regulators

Consumer Financial Protection Bureau logo An earlier post reported that both the Consumer financial Protection Bureau (CFPB) and the Office Of The Comptroller Of The Currency (OCC) were considering fines for JPMorgan Chase, after allegations about how the bank sold identity theft protection services to credit card customers, and collected past-due bills from customers. The two agencies had investigated together the allegations. Late last week, several agencies concluded their investigations and announced both settlements and fines with the bank.

First, the CFPB announced that it had ordered:

"... Chase Bank USA, N.A. and JPMorgan Chase Bank, N.A. to refund an estimated $309 million to more than 2.1 million customers for illegal credit card practices... Chase enrolled consumers in credit card “add-on” products that promised to monitor customer credit and alert consumers to potentially fraudulent activity. In order for consumers to obtain credit monitoring services, consumers generally must provide written authorization. Chase, however, charged many consumers for these products without or before having the written authorization necessary to perform the monitoring services. Chase charged customers as soon as they enrolled in these products even if they were not actually receiving the services yet."

So, the bank charge customers for services the customers never authorized. And, there is more. The bank also unfairly charged fees and interest:

"... The unfair monthly fees that customers were charged sometimes resulted in customers exceeding their credit card account limits, which lead to additional fees for the customers. Some consumers also paid interest charges on the fees for services that were never received."

And, the bank didn't deliver the services promised:

"... Consumers were under the impression that their credit was being monitored for fraud and identity theft, when, in fact, these services were either not being performed at all, or were only partially performed."

All of this happened from October 2005 to June 2012. the order requires Chase to:

  1. Stop unfair billing practices
  2. Fully refund, with interest, the 2 million consumers who enrolled in credit monitoring services, charged for these services, and did not receive the services promised. The bank must also refund any interest and over-the-limit fees charged. This refund is estimated at $309 million.
  3. Consumers should have received refunded by November 30, 2012. Chase credit card holders should have received a credit to their accounts. Former card holders should have received checks.
  4. The bank must submit to an independent audit to ensure compliance with the CFPB order.
  5. The bank must also strengthen its management of third-party vendors that provide any credit monitoring services.
  6. The bank will pay a $20 million penalty payment to the CFPB’s Civil Penalty Fund.

Second, the OCC announced that it had levied a separate $60 million fine against JPMorgan Chase and Chase Bank USA:

"The OCC found that the bank’s billing practices violated Section 5 of the Federal Trade Commission (FTC) Act, 15 U.S.C. § 45(a)(1), which prohibits unfair and deceptive acts or practices. The $60 million civil money penalty reflects a number of factors, including the scope and duration of the violations and financial harm to consumers from the unfair practices. The penalty will be paid to the U.S. Treasury."

Securities and Exchange Commission seal Third, the Securities and Exchange Commission (SEC) announced several charges against the bank and a settlement agreement with the bank:

"JPMorgan has agreed to settle the SEC’s charges by paying a $200 million penalty, admitting the facts underlying the SEC’s charges, and publicly acknowledging that it violated the federal securities laws."

This is noteworthy also because, as part of the settlement, the bank will admit to facts that led to the wrongdoing. Sadly, most settlement agreements don't require the defendant to admit to any wrongdoing. The SEC had charged JPMorgan Chase with:

"... with misstating financial results and lacking effective internal controls to detect and prevent its traders from fraudulently overvaluing investments to conceal hundreds of millions of dollars in trading losses."

As part of the settlement agreement, the bank will admit to the following facts that led to the wrongdoing:

"The trading losses occurred against a backdrop of woefully deficient accounting controls in the CIO, including spreadsheet miscalculations that caused large valuation errors and the use of subjective valuation techniques that made it easier for the traders to mismark the CIO portfolio."

"JPMorgan senior management personally rewrote the CIO’s valuation control policies before the firm filed with the SEC its first quarter report for 2012 in order to address the many deficiencies in existing policies."

"By late April 2012, JPMorgan senior management knew that the firm’s Investment Banking unit used far more conservative prices when valuing the same kind of derivatives held in the CIO portfolio, and that applying the Investment Bank valuations would have led to approximately $750 million in additional losses for the CIO in the first quarter of 2012."

"External counterparties who traded with CIO had valued certain positions in the CIO book at $500 million less than the CIO traders did, precipitating large collateral calls against JPMorgan."

"As a result of the findings of certain internal reviews of the CIO, some executives expressed reservations about signing sub-certifications supporting the CEO and CFO certifications required under the Sarbanes-Oxley Act."

"Senior management failed to adequately update the audit committee on these and other important facts concerning the CIO before the firm filed its first quarter report for 2012."

"Deprived of access to these facts, the audit committee was hindered in its ability to discharge its obligations to oversee management on behalf of shareholders and to ensure the accuracy of the firm’s financial statements."

The CIO is the Chief Investment Office within the bank. George S. Canellos, Co-Director of the Division of Enforcement at the SEC said:

“While grappling with how to fix its internal control breakdowns, JPMorgan’s senior management broke a cardinal rule of corporate governance and deprived its board of critical information it needed to fully assess the company’s problems and determine whether accurate and reliable information was being disclosed to investors and regulators.”

The SEC coordinated its global investigations and actions with the U.K. Financial Conduct Authority, the Federal Reserve, and the OCC.The U.K. Financial Conduct Authority announced that it fined JPMorgan Chase:

"... £137,610,000 ($220 million) for serious failings related to its Chief Investment Office (CIO). JPMorgan’s conduct demonstrated flaws permeating all levels of the firm: from portfolio level right up to senior management, resulting in breaches of Principles 2, 3, 5 and 11 of the FCA’s Principles for Businesses - the fundamental obligations firms have under the regulatory system.The breaches occurred in connection with the $6.2 billion trading losses sustained by CIO in 2012... known as the “London Whale” trades, and were caused by a high risk trading strategy, weak management of that trading and an inadequate response..."

The SEC announcement said that JPMorgan will pay about $920 million total in penalties to the four agencies.

I applaud the agencies for their coordinated, global actions. Because banks and corporations operate globally, enforcement agencies must work smartly and cooperate globally. I commend the agencies for a settlement agreement where the defendant admits to facts that led to wrongdoing.

I commend the agencies for the fines, but I wish the fines were far greater. All of this wrongoding at JPMorgan Chase seems consistent with research that found younger bankers have accepted wrongdoing as a necessary evil to succeed. Bankers globally have a severe ethics problem. As former Secretary of Labor Robert Reich commented recently on about the effectiveness of fines to prevent banking abuses:

"Fines effective only if risk of being caught x probability of being prosecuted x amount of fine > profits to be made."

I agree with that assessment 1,000 percent. The outstanding questions I have:

  1. Who is going to jail as a result of violating federal securities laws?
  2. What actions (e.g., discipline, firings) will the bank's board of directors taking against senior management that participated in the wrongdoing?
  3. Since wrongdoing occurred at all levels within the bank, what corrective actions -- beyond the settlement agreements -- will the bank take to change banking culture (e.g., teach and reinforce ethics since many bankers fear retaliation) to prevent future wrongdoing?

A new corporate code of ethics is not enough. Not even close.

Study Finds EU Companies Reluctant To Publicly Announce Data Breaches

A recent study by AlienVault uncovered some interesting statistics about data breaches and corporate responsibility:

"... only 2% of surveyed [European Union] companies would be willing to go public should they suffer a security breach. 38% opted to inform the relevant authorities and 31% said they would tell their employees. A mere 11% said they would share the information with the security community."

The reluctance of companies to publicize data breaches seems to be an attempt to balance the need to prevent future attacks against the need to minimize damage to their brands. Additional statistics from the survey: 5 percent of survey respondents said they would do nothing after a malware attack to their systems. Half of survey respondents said that after an attack they would share intelligence with competitors; 35% anonymously and 15% would reveal their company name.

Sharing information is important. Barmak Meftah, President & CEO of AlienVault said:

"The growing complexity and sophistication of threats make it difficult for security professionals to have a clear view of possible vulnerabilities, threats, and attacks that are out there... Sharing information about the source and nature of attacks allows the security community to act fast, and quickly isolate malicious or compromised hosts... In addition, it helps identify attack methods, tools and patterns, all of which help fuel research on new defense technologies."

AlienVault provides organizations with limited security staff and budgets with methods to address data security compliance and threat management.

Natural Provisions To Pay $30K In Settlement With State Of Vermont For Data Breach

Last week, the State of Vermont Attorney General announced that it had reached a settlement with Natural Provisions regarding a 2012 data breach at the grocery store. The settlement agreement calls for Natural Provisions to make a $30,000 payment: $15,000 to upgrade the grocery store's computer security systems and $15,000 to the State of Vermont.

After an investigation, the Attorney General's office found that Natural Provisions allegedly failed to promptly notify its customers of the data security breach, and failed to take corrective actions in a timely manner:

"When banks traced the fraud back to Natural Provisions, the store was informed that it was the likely source of the fraud. Under Vermont law, a company must notify the Attorney General within 14 days of the discovery of a breach, notify its customers within 45 days,.. Natural Provisions failed to meet these standards... it did not commence taking remedial action to resolve the security vulnerability for more than a month. It did not notify the Office of the Attorney General, comply with the Data Breach Notification Act, or complete remedial action necessary to resolve the security vulnerability for more than forty-five days... Some consumers had their credit cards compromised, had cards reissued, and had the new cards compromised after use at Natural Provisions."

In its announcement, the Vermont Attorney General also stated:

"By some estimates, over half of all data breaches take place at small businesses, which tend to be easy targets due to inadequate security."

Experts Expect 'Ransomware' To Attack Smartphones And Other Mobile Devices

Today's post highlights another reason consumers should install (and keep updated) the anti-virus software on their smartphones, tablets, and other mobile devices. Experts expect online criminals to migrate their ransomware attacks from personal computers (e.g., desktops and laptops running Windows OS, operating system software) to mobile devices.

With ransomware, criminals install malware on the victim's computer that takes over the computer. The malware is disguised within mobile apps or in bogus software (e.g., fake anti-virus). Some ransomware, known as "police trojans" pretend to be software from law enforcement. Once installed upon and in control of a victim's computer, the criminals demand payment for the victim to get control back of their computer. The payment is usually to wire money to a foreign account. Of course, there is no guarantee that the victim will get control back of their computer back after payment.

Experts expect ransomware to target mobile devices running the Android OS. Why Android OS devices? CSO Online reported:

"Any business can open an Android app store with or without a mechanism for vetting the available software. As a result, the platform has become a favorite target for cyber criminals... In 2012, the number of Android malware was up 2,577% from the previous year..."

Earlier this year, European law enforcement broke up a ransomware theft ring that had targeted victims in 30 countries. Reportedly, about 3 percent of victims paid $100 Euros (about $134 U.S.) to the online criminals. Officials estimated that the theft ring made millions of Euros.

Ransomware appeals to criminals because it is difficult for consumers to remove the software. So, prevention is the best method for consumers. To avoid ransomware, experts advise consumers to:

  • Visit only well-known, reputable app stores
  • Install and keep updated anti-virus software on your mobile device(s)
  • Regularly back up data on your mobile device(s)
  • If you have an Apple iOS mobile device, don't "jailbreak" it

If your computer or mobile device has been infected with ransomware, experts advise consumers:

Review Group On Intelligence Seeks Comments From The Public

In a blog post on September 4, the Director Of National Intelligence (DNI) explained that the Review Group On intelligence and Communications Technologies (Review Group) seeks input from the public about government surveillance programs. In August 2013, President Obama ordered the establishment of the Review Group. The DNI blog post explained the topics the Review Group seeks public comments about:

"The Review Group is seeking public comments on all matters that the President has directed it to examine, namely, how in light of advancements in communications technologies, the United States can employ its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure."

Comments must be sent to [email protected]. Submissions must be received by October 4, 2013. The Review Group is to submit, through the DNI, a final report to the President by December 15, 2013.

IBM To Move 110,000 Retirees From Its Sponsored Health Care Plan To Private Exchanges. Other Companies Plot Similar Moves

IBM, Inc. logo Earlier this week, IBM announced that it will move about 110,000 Medicare-eligible retirees from its current company-sponsored health plan to private health care insurance exchanges. Retirees will receive payments towards the cost of health care through exchanges.

While IBM denied that costs were the reason for the move, the news report stated that experts have estimated Medicare costs to triple by 2020. So, while the move may not save IBM any money today, it seems the company's decision is clearly cost-related -- to save itself money in the future.

Reportedly, the new plan for IBM retirees will start January 1, 2014. According to the Chicago tribune:

"IBM also said it was hosting meetings with groups of retirees across the country to inform them about the move to the country's largest private Medicare Exchange. While some retirees may be skeptical, studies showed that the majority of people have a more positive outlook once they were presented with the concept and understood the options available to them through these exchanges..."

Health care exchanges were created under the 2010 Affordable Health Care Act. At many health care exchanges, open enrollment will begin on October 1, 2013. A health care exchange is:

"... a regulated marketplace where consumers can more easily compare insurance plans through the Internet, on the phone, or through an official helper, called a “navigator.” Consumers can also find out if they qualify for Medicaid -- the jointly run federal/state health care program for the poor -- or for a federal subsidies to help pay for the insurance... They are for small businesses and people who don’t have access to affordable insurance through an employer or are not already enrolled in a government program, such as Medicare."

Experts have projected that the shift to private health care exchanges will affect both retirees and current employees. (I'll bet you didn't know that.) The projections include 1 million workers enrolled in private health care exchanges in 2013, increasing to perhaps 40 million workers in 2018.

United Parcel Service logo Other companies have announced similar health care plan changes for their retirees, including General Electric and Time Warner. Last month, the United Parcel Service announced that it will stop health care coverage for employees' spouses, who can get coverage through another employer's plan:

"By denying coverage to spouses, employers not only save the annual premiums, but also the new fees that went into effect as part of the Affordable Care Act. This year, companies have to pay $1 or $2 “per life” covered on their plans, a sum that jumps to $65 in 2014. And health law guidelines proposed recently mandate coverage of employees’ dependent children (up to age 26), but husbands and wives are optional... next year, 12% of employers plan to exclude spouses, up from 4% this year, according to a recent Towers Watson survey."

Local leaders in some states, such as North Carolina, are hosting forums to explain to residents what health care exchanges are and how they operate. The insurance commissioner in Maryland has already published rates available in the state's new health care exchange; with some rates are as low as $122 per month.

What is your opinion of private health care exchanges? What is your opinion of employers that no longer cover their employees' spouses?

Regulators Prepare Fines For JPMorgan Chase

Just before the long holiday weekend, the New York Times reported about possible fines for the bank, JPMorgan Chase. The possible fines result from investigations by the Consumer financial Protection Bureau (CFPB) and the Office Of The Comptroller Of The Currency (OCC) into allegations about how the bank sold identity theft protection services to credit card customers, and collected past-due bills from customers.

According to the newspaper:

"The most costly cases for JPMorgan center on concerns that the bank duped its credit card customers into buying products pitched as a way to shield them from identity theft. In separate actions reflecting their varied jurisdictions, the consumer bureau will levy a roughly $20 million fine, while the comptroller’s office is expected to extract about $60 million... In a public filing this month, JPMorgan disclosed to investors a bevy of pending investigations from federal authorities scrutinizing the bank’s financial crisis-era mortgage business and its multi-billion-dollar trading loss in London last year..."

In his Twitter feed, former Secretary of Labor Robert Reich commented about the effectiveness of fines to prevent banking abuses:

"Fines effective only if risk of being caught x probability of being prosecuted x amount of fine > profits to be made."

I agree with that assessment 1,000 percent.

Yahoo Sues NSA For Greater Transparency To Inform Users

Yesterday, the Guardian UK reported that Yahoo had filed a lawsuit against the National Security Agency (NSA) to be allowed to to inform users about the data requests it receives from the government:

"Withholding the information creates mistrust, Yahoo said. Companies are forbidden by law to say how much data they provide."

Withholding information also harms companies, as Yahoo said in a statement:

"Yahoo's inability to respond to news reports has harmed its reputation and has undermined its business not only in the United States but worldwide. Yahoo cannot respond to such reports with mere generalities."

Google also has also filed a motion to be allowed to report more freely. This is a start. I wish that more companies had done this far sooner... years ago. As I warned in an earlier blog post, this massive surveillance hurts American companies directly and worldwide -- revenues, and later jobs. To assume or pretend otherwise is simply foolish and bad policy.

Spy Agencies Aim To Secretly Break All Internet Encryption By Any Means Necessary

Data encryption is essential to doing business on the Internet. Whether you want to buy something online, send an e-mail privately, or send sensitive corporate assets securely, data encryption makes it happen. There is a good article in the New York Times about the efforts by spy agencies -- NSA and GCHQ - to break the encryption processes frequently used:

"... classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware... the N.S.A. spends more than 250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” Sigint is the abbreviation for signals intelligence, the technical term for electronic eavesdropping... Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members..."

Similar versions of the New York Times article also appear in ProPublica and the Guardian UK. If this bothers you (and I sincerely hope that it does), contact your elected officials today.

Encryption is the process of making messages unreadable to everyone except the sender and authorized reader(s). Some background from a person who teaches cryptography.

Learn more about government surveillance programs in the Surveillance section of this blog. If you want to communicate securely on the Internet, it is still possible. A couple sources with tips:

An Open Letter To NFL Commissioner Roger Goodell

National Football League logo Today's blog post presents slightly different fare from the usual data breach, privacy, and identity-theft news. Today's post does relate to corporate responsibility -- namely, the oligopoly that is the National Football League (NFL). My open letter to the NFL:

Dear NFL Commissioner Roger Goodell:

I love the game of football. I am and have been an NFL fan for many decades. At the age of five, my father took me to my first AFL game in 1960 at the old Polo Grounds in New York City. The New York Titans lost to the Houston Oilers. Over the decades I have watched the NFL both on television and at stadiums in Buffalo, Chicago, Cincinnati, Cleveland, New York City, and Foxboro, Massachusetts.

I write to you today about head injuries and concussions. Recently, the Associated Press reported comments by you about the recent $765 million settlement between the NFL and 4,500 former players:

"This is a significant amount of money...The plaintiffs also agreed it was an appropriate amount. The mediator felt it was an appropriate amount."

Yes, $765 million is a lot of money; definitely when compared to the average annual salary range of $35,000 - $50,000 for football fans. According to Forbes magazine, the payment is not much, about 0.5 percent, when compared to the league's current $9.5 billion annual revenues. News media have reported that you expect league revenues to increase to about $25 billion in fifteen years. That makes the $765 million payment seem even smaller.

Second, as you know a settlement agreement is often a judgement by plaintiffs about money offered today versus the risks of money later = the costs of a long, drawn-out lawsuit X the probability of win in court. (Reportedly, the players originally asked for a $2 billion settlement.) News stories have covered the struggles of former players suffering with Alzheimers, dementia, higher death rates, and suicides. So, suffering former players have a clear incentive to settle now for money to pay health care and related expenses.

Either way, the settlement is nothing anybody should be proud about.

Third, the $765 million compensation to retired players and their families equals about $150,000 per player -- not including any Federal, state, and local taxes owed. That doesn't seem like much when compared to the average long-term care cost for Alzheimer's patients at $234 per day, or $78,110 per year ($56,290 per year per patient with dementia). So, the NFL payment to former players equals about two years of care -- not long -- and far less coverage if the payments are taxable.

And, if some retired, seriously injured players receive the $3 to 5 million maximum from the $765 million settlement, then others from the 4,500 players in the settlement will receive little to nothing -- unless the NFL will pay more during the next 20 years, as your league's annual revenues approach $25 billion. Will you?

The NFL Life Line (for suicides) for players and families was a good start, but the problem of brain injuries is neurological, not psychological. So what else will the league do? Some former players said that more needs to be done, and I agree.

Fourth, the payment calculation seems suspect. Forbes reported:

"The NFL also will cover various legal and administrative fees. Meanwhile, players and families who sued the league will get payouts from the league across the next 20 years. Individual compensation is capped at $5 million per player..."

Forbes also reported:

"If you develop dementia, well, that’s worth a maximum of $3 million to the NFL. If you’re diagnosed with CTE (chronic traumatic encelphalopathy) after your death, your family is eligible for up to $4 million. And lastly, if you are unfortunate enough to develop Lou Gehrig’s disease, your potential payout tops out at $5 million. All other retired players will be required to take a test to determine if they suffer from neurological issues, but they will not be required to prove that those issues are linked to concussions suffered while playing in the NFL. At that point, the retired players will be paid according to the number of years they played in the league, with the length of career used to estimate the number of blows to the head the player suffered (I’m not making this up). Ironically, no distinction will be made between positions, so a retired punter stands to receive just as much as a retired offensive tackle, assuming they played for the same amount of time."

What?! I expected payments based on the severity of the injury.

Fifth, my primary feedback to you is this. As much as I love the game, I will stop watching NFL games, if the league fails to do the right thing about head injuries and concussions. That the players sued the league indicates that change is not happening as fast as needed. The right thing includes several things: a) address with greater speed the medical conditions of current and former players; b) address the information needs of youth (a/k/a potential future NFL players); and c) reduce or eliminate brain injuries and concussions.

I mention youth because the NFL has benefited greatly from youth; as fans and as participants in the sport. Part of that was the Punt, Pass, and Kick program, with competitions often held during hall-time sessions during NFL games. And, there is the NFL Play 60 program. Players at the college and high school levels often aspire for careers in the NFL. Your league has clout.

While discussing head injuries with other fans (yes, we do discuss this on social networking websites), some make the point that current players made a choice to play in the NFL and assume the risks. While people definitely should be held accountable for their decisions, that choice is good only if it was an informed choice. Many former players and their families clearly stated that they felt they weren't informed. Society knows a lot more today about brain injuries than it did 10 or 15 years ago, when many younger, current NFL players were making sports decisions in high school.

The research shows brain damage at earlier ages -- 20 percent of high school players suffer brain injuries, and 40 percent suffer concussions. So, I will evaluate your league's response to head injuries and concussions with what it does to inform youth -- sports programs and coaches at the college and high school levels -- to help them make informed choices about football careers.

If the NFL only throws chunks of cash at suffering current and former players (and not items "a," "b," and "c" above), then I will consider that a failure to do the right thing, and promptly stop watching the sport. I want to hear more from you about what else the NFL will do -- in plain English, not legal-speak -- as your league's revenues approach $25 billion annually.


George Jenkins
Boston, Massachusetts

Edward Snowden Receives German Whistle Blower Award

Zeit Online reported on Tuesday that Edward Snowden, the former NSA employee that disclosed several documents about massive spying by the U.S. government of its citizens and people around the world, received the 2013 Whistle Blower Award in Germany. The biennial award has been presented since 1999 by Transparency International, and the International Association Of Lawyers Against Nuclear Arms. Jacob Appelbaum, a lecturer at the Berlin-Brandenburg Academy of Sciences, accepted the award on behalf of Snowden, who is located in Russia.

The award ceremony also included a recorded speech by Guardian UK news reporter Glenn Greenwald honoring Snowden. The Zeit Online newspaper also published the full text of Snowden's acceptance speech in English. Some key excerpts:

"It is a great honor to be recognized for the public good created by this act of whistle-blowing. However the greater reward and recognition belongs to the individuals and organizations in countless countries around the world who shattered boundaries of language and geography to stand together in defense of the public right to know and the value of our privacy... It is not I, but newspapers around the world who have risen to hold our governments to the issues when powerful officials sought to distract from these very issues with rumor and insult... In contemporary America the combination of weak legal protections for whistle-blowers, bad laws that provide no public interest defense and a doctrine of immunity for officials who have strayed beyond the boundaries of law has perverted the system of incentives that regulates secrecy in government. This results in a situation that associates an unreasonably high price with maintaining the necessary foundation of our liberal democracy – our informed citizenry..."

CVS To Pay $250K Fine For Improper Records Disposal And Selling Expired Products

CVS Pharmacy logo Just before the long holiday weekend, the State of Maryland Attorney General's office announced a settlement with CVS Pharmacy, Inc. and Maryland CVS Pharmacy, LLC after CVS failed to adequately protect customers' sensitive financial and medical information. Terms of the settlement require CVS to pay a $250,000 fine.

The settlement resolves two key allegations:

  • CVS improperly disposed of customers records in open trash bins, and
  • CVS sold products after the products' expiration dates or "sell by" dates.

The Maryland Attorney General's Consumer Protection Division (CPD) investigated both allegations. The alleged sale of expired products included baby formula, dairy products, over-the-counter drugs, and vitamins. CVS had allegedly failed to maintain and enforce security methods that were already in place to protect consumers. The Maryland Attorney General's announcement stated:

"Under the Maryland Consumer Protection Act, it is an unfair and deceptive trade practice for a business to attempt to dispose of records containing its customers' personal information without taking reasonable steps to protect against unauthorized access to or use of them. It is also an unfair and deceptive trade practice to offer for sale a product that is no longer effective for its intended use."

For effective data security, the terms of settlement agreement require CVS to:

  1. Maintain, revise as needed, and enforce newly established policies and procedures for the disposal of customers sensitive medical information (e.g., called Protected Health Information or PHI),
  2. Implement an employee training program for handling and disposing of patient information,
  3. Conduct internal monitoring, and
  4. Report any noncompliance to the Maryland CPD for three years.

To prevent the sale of expired products, the terms of the settlement agreement also require CVS to:

  1. Implement policies and procedures about the sale of expired products
  2. Prompt cashiers via checkout registers to confirm that dairy products, baby food, infant formula and over-the-counter children's drugs are not expired. CVS is to implement this program for three years.
  3. Offer consumers a $2.00 discount coupon toward any purchase if a consumer finds and turns in an expired product (over-the-counter drugs, edible product, and vitamins and dietary supplements) on store shelves. CVS is to provide this offer for two years.

Citibank To Pay $55K Fine To Settle Data Breach Investigation

Citibank logo Just before the long holiday weekend, the State of Connecticut Attorney General's office announced a preliminary settlement agreement with Citibank, N.A. about a data breach at the bank which affected more than 360,000 banking customers. The terms of the proposed settlement include a $55,000 payment to the state, and other specific data-security conditions.

The settlement was finalized after a joint investigation by the California and Connecticut Attorney Generals' offices. The investigation found that:

"... a known technical vulnerability in Citibank’s Account Online Web-based service permitted hackers to access multiple user accounts. Hackers accessed account information through Account Online by logging in with an account number and password, and then modifying a few characters in the resulting Universal Resource Locater (URL) bar in a browser in order to access additional accounts. This vulnerability was known to the company at the time of the breach and may have existed since 2008."

Citibank discovered the data breach on May 10, 2011, but did not permanently fix the vulnerability until May 27, 2011. The bank began notifying affected cardholders on June 3, 2011. Hackers accessed and collected data about 5,066 Connecticut residents.

The $55,000 payment by Citibank includes $15,000 in civil penalties to the state’s Privacy Protection Guaranty and Enforcement Account, and $40,000 to the state’s General Fund to resolve allegations of violation of the Connecticut Unfair Trade Practices Act. Connecticut Attorney General Jepsen said:

"Citibank represented to its customers that its online system was secured, but ultimately the techniques hackers used to obtain individual account information were relatively simple and unsophisticated... This settlement not only ensures that Citibank will be responsive to its customers should this system experience a breach in the future, it also requires the company to review and audit its security protocols.”

Additional terms of the settlement require the bank to hire an independent third-party company to conduct an information security audit of the bank's Account Online system, and report a detailed summary of its findings to the Connecticut Attorney General. Also, the bank must maintain reasonable security procedures and practices to protect Account Online, and provide appropriate notices and free credit-monitoring services for two years to any persons affected by future data breaches with Account Online. The proposed settlement agreement (Adobe PDF) must be approved by the Court.

U.S. And Nigerian Agencies Sign Agreement To Work Together To Fight Cross-Border Fraud

U.S. Federal Trade Commission logo We've all received unsolicited e-mail messages from fraudsters located in other countries. Today's blog post discusses what the U.S. doing to combat fraud attacks originating in Nigeria.

Just before the Labor Day holiday weekend, the U.S. Federal Trade Commission (FTC) announced a preliminary agreement with two agencies in Nigeria to increase cooperation with fighting cross-border fraud. The FTC signed a memorandum of understanding (MOU) with Nigeria's Consumer Protection Council (CPC) and Nigeria's Economic and Financial Crimes Commission (EFCC).

The MOU provides for a Joint Implementation Committee to identify concrete areas of collaboration, establish joint training programs and workshops, and provide assistance regarding specific cases and investigations. The MOU is a framework for voluntary cooperation and will not change existing laws in either country. The CPC addresses consumer complaints through investigations and enforcement; the EFCC is a criminal enforcement agency with authority to address consumer fraud and other financial crimes.

FTC Chairwoman Edith Ramirez said:

"Cross-border scammers use fraudulent e-mails and other scams to bilk consumers all over the world, while undermining confidence in legitimate businesses... This MOU will help our agencies better protect consumers in both the U.S. and Nigeria.”

Director Dupe Atoki of the CPC stated:

“We fully support this collaboration on consumer and fraud matters, and have already detailed a senior CPC official to the FTC for a six-month staff exchange.”

Executive Chairman Ibrahim Lamorde of the EFCC said that he:

“...welcomes this partnership, which builds on our existing collaboration with the FTC and with U.S. criminal enforcement authorities."

The FTC already works with the two Nigerian agencies on policy and enforcement matters, including the African Consumer Protection Dialogue, the International Mass Marketing Fraud Working Group, the London Action Plan (LAP, an anti-spam network), and the International Consumer Protection and Enforcement Network (ICPEN). ICPEN has agencies from about 50 countries.

The FTC Office of International Affairs oversees international projects and provides representatives who work with agencies in other countries. Using both formal and informal agreements, the FTC works with more than 100 consumer protection organizations in other countries.

Energy Providers: A New I've Been Mugged Topic

Many consumers now have smart meters installed in their homes. Now, both public utilities and private sector companies provide consumers with energy services. Some people are concerned about the privacy implications with the new technologies. So, I have added a new topic in the tag cloud in the near right column. The "Energy Providers" topic includes content where we will explore these and other issues.

I hope that you like the new category.