Previous month:
June 2015
Next month:
August 2015

16 posts from July 2015

Study: Companies Pay Their Senior Executives More Than They Pay In Federal Taxes

The Institute For Policy Studies released the results of a study of executive compensation and corporate taxes. Researchers analyzed the pay of Chief Executive Officers (CEOs) in the largest corporation and the highest paid CEOs. Key findings were:

"Of America’s 30 largest corporations, seven (23 percent) paid their CEOs more than they paid in federal income taxes last year... Of America’s 100 highest-paid CEOs, 29 received more in pay last year than their company paid in federal income taxes—up from 25 out of the top 100 in our 2010 and 2011 surveys."

The pay of those 29 CEOs averaged $32 million. The study also investigated tax shelters. The 29 corporations that paid more to their CEOs than federal income taxes also operated:

"... 237 subsidiaries in tax havens. The company with the most subsidiaries in tax havens was Abbott Laboratories, with 79. The pharmaceutical firm’s CEO paycheck was $4 million larger than its IRS bill in 2013. Of the 29 firms, only 12 reported U.S. losses in 2013. At these 12 unprofitable firms, CEO pay averaged $36.6 million—more than three times the $11.7 million national average for large company CEOs..."

The corporations are familiar brands and names:

"The company that received the largest tax refund was Citigroup, which owes its existence to taxpayer bailouts. In 2013, Citi paid its CEO $18 million while pocketing an IRS refund of $260 million. Three firms have made the list in all three years surveyed. Boeing, Chesapeake Energy, and Ford Motors paid their CEO more than Uncle Sam in 2010, 2011, and 2013."

It would seem that the shareholders at these 12 unprofitable firms either don't care or have allowed the boards of directors to authorize exorbitant pay packages in the face of unprofitable performances. If those seven largest, profitable corporations had paid the full statutory tax rate of 35 percent, they would have paid $25.9 billion in federal taxes, which could have been used instead for:

"... Restoring elementary and high school teaching jobs lost to recession and austerity budget cuts... Resurfacing 22,240 miles of four-lane roads... Running the U.S. Department of Veterans Affairs for two months... Making pre-K [educaton] universal..."

The authors, Scott Klinger and Sarah Anderson, concluded:

"For corporations to reward one individual, no matter how talented, more than they are contributing to the cost of all the public services needed for business success reflects the deep flaws in our corporate tax system. Rather than more tax breaks, Congress should focus on addressing these deep flaws by cracking down on the use of tax havens, eliminating wasteful corporate subsidies, and closing loopholes that encourage excessive executive compensation."

Some specific actions Congress could take (links added):

"... the CUT Loopholes Act would close a variety of loopholes that facilitate tax dodging through offshoring. This bill would treat the foreign subsidiaries of U.S. corporations, whose management and control occur primarily in the United States, as U.S. domestic corporations for income tax purposes. It would also force corporations to take the same expense for stock option grants on their tax returns as they report on their shareholder books... Passing this legislation would reduce the incentive to shift profits and jobs overseas and could raise an additional $189 billion over ten years without raising corporate tax rates... Corporate Tax Fairness Act (S. 250 and H.R. 694)... would eliminate the ability of corporations to defer tax payments on their offshore profits. Instead, all worldwide profits earned by U.S. corporations would be immediately taxable in the United States. Firms would receive a dollar-for-dollar tax credit for any taxes paid to foreign governments. Corporations earning their profits in places like the United Kingdom, Germany, or France, where effective corporate tax rates are similar to U.S. rates, would pay little if any additional tax to the U.S. government. But firms stashing their profits in offshore tax havens would be forced to pay up for their years of tax haven abuse. The bill would raise an estimated $590 billion over ten years."

Download the report, "Fleecing Uncle Sam" (Adobe PDF). A copy is also available here.


FTC Report Recommended Best Practices For Companies Offering Products For The Internet of Things

U.S. Federal Trade Commission logo Earlier this year, the U.S. Federal Trade Commission (FTC) released a report about the Internet of Things (IoT): the set of technologies and devices outfitted with sensors collect data, communicate directly with each other, transmit data to the development company, and publish data to the Internet with human interactions. The FTC recommended:

"... a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security... The Internet of Things is already impacting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars and household appliances... Such devices offer the potential for improved health-monitoring, safer highways, and more efficient home energy use... However, the FTC report also notes that connected devices raise numerous privacy and security concerns that could undermine consumer confidence."

Experts have estimated 25 billion connected devices this year, and 50 billion by 2020. FTC Chairwoman Edith Ramirez said:

"The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers... We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”

The FTC held a workshop during November 2013 with interested industry participants. The report listed best practices identified and discussed during that workshop. Some important limitations of the report:

"... our discussion is limited to IoT devices that are sold to or used by consumers. Accordingly, the report does not discuss devices sold in a business-to-business context, nor does it address broader machine-to-machine communications that enable businesses to track inventory, functionality, or efficiency..."

The report listed some of the benefits from IoT devices:

"... connected medical devices can allow consumers with serious medical conditions to work with their physicians to manage their diseases. In the home, smart meters can enable energy providers to analyze consumer energy use, identify issues with home appliances, and enable consumers to be more energy-conscious. On the road, sensors on a car can notify drivers of dangerous road conditions, and software updates can occur wirelessly, obviating the need for consumers to visit the dealership..."

The disadvantages from the Internet of Things:

"... a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. Participants also noted that privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. In particular, some panelists noted that companies might use this data to make credit, insurance, and employment decisions..."

The report listed recommended a "security by design" approach with best practices for security, personnel, data minimization, and legislation. For security best practices, companies should:

  1. Conduct privacy or security risk assessments,
  2. Minimizing the data collected and archived,
  3. Test their security measures before launching products and services, and
  4. Monitor products (and services) throughout the life-cycle and patch known vulnerabilities.

For personnel best practices, the report recommended that companies:

  1. Train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization,
  2. Retain vendor and sub-contractors that are capable of maintaining reasonable security and provide reasonable oversight
  3. Identify significant risks within their systems, and implement corresponding defenses
  4. Consider implementing reasonable access control measures to limit the ability of unauthorized persons to access a consumer’s device, data, or even the consumer’s network

To minimize the amount of consumers' sensitive information collected, companies should:

"... examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data... data minimization is a flexible one that gives companies many options. They can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or de-identify the data they collect...

Companies that collect consumers' information should obtain consumers' consent before collection. The report seemed to focus more on balancing consumers' needs for notice and consent with companies' needs for streamlined systems (link added):

"This does not mean that every data collection requires choice. The Commission has recognized that providing choices for every instance of data collection is not necessary to protect privacy. In its 2012 Privacy Report, which set forth recommended best practices, the Commission stated that companies should not be compelled to provide choice before collecting and using consumer data for practices that are consistent with the context of a transaction or the company’s relationship with the consumer. Indeed, because these data uses are generally consistent with consumers’ reasonable expectations, the cost to consumers and businesses of providing notice and choice likely outweighs the benefits. This principle applies equally to the Internet of Things."

Many devices connected to the Internet of Things will not have traditional interfaces (e.g., keyboard, screen) like you see today with computers, laptops, tablets, and smart phones. Hence:

"Staff acknowledges the practical difficulty of providing choice when there is no consumer interface and recognizes that there is no one-size-fits-all approach. Some options include developing video tutorials, affixing QR codes on devices, and providing choices at point of sale, within set-up wizards, or in a privacy dashboard. Whatever approach a company decides to take, the privacy choices it offers should be clear and prominent, and not buried within lengthy documents."

The example that comes to mind are Internet-connect refrigerators. For consumers to make informed choices, manufacturers must provide privacy and terms of use policies to consumers before and after purchase. This suggests alternative delivery methods of privacy and terms of use policies. I am sure that other privacy bloggers and privacy advocates will watch closely how these IoT devices are marketed.

Last, the report discussed the current state of legislation. the consensus seemed to be that more is needed at both the state and federal levels.

Download the FTC report: "Internet of Things: Privacy & Security In a Connected World" (Adobe PDF) from the FTC site. A copy is also available here.

What are your opinions of the Internet of Things? Of the recommended best practices? How would you like IoT manufacturers to delivery policies before purchase?


Medical Informatics Engineering Breach Highlights Breach Notice, Privacy, And Cloud-Storage Issues

Medical Informatics Engineering logo In early June,  Medical Informatics Engineering (MIE) announced a data breach where unauthorized persons accessed its systems. The breach at MIE, an electronic health records vendor used by many health providers, exposed the sensitive Protected Health Information (PHI) of an undisclosed number of patients in several states. MIE began to notify during June its corporate clients. MIE began notifying affected patients on July 17.

The July 24, 2015 MIE press release about the breach

"FORT WAYNE, Ind.--(BUSINESS WIRE--On behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified."

No More Clipboard logo NoMoreClipboard.com (NMC) is a cloud-based service by MIE for storing patients' health records, and making the records easily accessible by a variety of devices: desktops, laptop,s tablets, and smart phones. The service is sold to doctors, hospitals, and related professionals.

According to its breach FAQ page, MIE's client list includes:

  • Concentra,
  • Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery),
  • Franciscan St. Francis Health Indianapolis,
  • Gynecology Center, Inc. Fort Wayne,
  • Rochester Medical Group,
  • RediMed,and Fort Wayne Radiology Association, LLC (including d/b/a Nuvena Vein Center and Dexa Diagnostics, Open View MRI, LLC, Breast Diagnostic Center, LLC, P.E.T. Imaging Services, LLC, MRI Center — Fort Wayne Radiology, Inc. f/k/a Advanced Imaging Systems, Inc.)

NoMoreClipboard.com's client list includes many clinics, hospitals, physicians, specialists, attorneys, schools, and more (links added):

NoMoreClipboard.com Clients Affected By Data Breach
Advanced Cardiac Care
Advanced Foot Specialists
All About Childrens Pediatric Partners, PC
Allen County Dept of Health
Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center
Altagracia Medical Center
Anderson Family Medicine
Arkansas Otolaryngology, P.A.
Auburn Cardiology Associates
Basedow Family Clinic Inc.
Bastrop Medical Clinic
Batish Family Medicine
Beaver Medical
Boston Podiatry Services PC
Brian Griner M.D.
Brightstarts Pediatrics
Burnsville Medical Center
Capital Rehabilitation
Cardiovascular Consultants of Kansas
Carl Gustafson OD
Carolina Gastroenterology
Carolina Kidney & Hypertension Center
Carolinas Psychiatric Associates
Center for Advanced Spinal Surgery
Chang Neurosurgery & Spine Care
Cheyenne County Hospital
Children's Clinic of Owasso, P.C.
Clara A. Lennox MD
Claude E. Younes M.D., Inc.
CMMC
Coalville Health Center
Cornerstone Medical and Wellness, LLC
Cumberland Heart
David A. Wassil, D.O.
David M Mayer MD
Dr. Alicia Guice
Dr. Anne Hughes
Dr. Buchele
Dr. Clark
Dr. Harvey
Dr. John Labban
Dr. John Suen
Dr. Puleo
Dr. Rajesh Rana
Dr. Rustagi
Dr. Schermerhorn
Dr. Shah
Ear, Nose & Throat Associates, P.C.
East Carolina Medical Associates
Eastern Washington Dermatology Associates
Ellinwood District Hospital
Family Care Chiropractic Center
Family Practice Associates of Macomb
Family Practice of Macomb
Floyd Trillis Jr., M.D.
Fredonia Regional Hospital
Fremont Family Medicine
Generations Primary Care
Grace Community Health Center, Inc.
Grisell Memorial Hospital
Harding Pediatrics LLP
Harlan County Health System
Health Access Program
Heart Institute of Venice
Henderson Minor Outpatient Medicine
Henry County Hospital myhealth portal
Highgate Clinic
Hobart Family Medical Clinic
Howard Stierwalt, M.D.
Howard University Hospital
Hudson Essex Nephrology
Huntington Medical Associates
Huntington Medical Group
Hutchinson Regional Medical Center
Idaho Sports Medicine Institute
In Step Foot & Ankle Specialists
Independence Rehabilitation Inc
Indiana Endocrine Specialists
Indiana Internal Medicine Consultants
Indiana Ohio Heart Indiana Surgical Specialists
Indiana University
Indiana University Health Center
Indianapolis Gastroenterology and Hepatology
Internal Medicine Associates
IU — Northwest
Jackson Neurolosurgery Clinic
James E. Hunt, MD
Jasmine K. Leong MD
Jewell County Hospital
John Hiestand, M.D.
Jonathan F. Diller, M.D.
Jubilee Community Health
Kardous Primary Care
Keith A. Harvey, M.D.
Kenneth Cesa DPM
Kings Clinic and Urgent Care
Kiowa County Memorial Hospital
Kristin Egan MD
Lakeshore Family Practice
Lane County Hospital
Logan County Hospital
Margaret Mary Health
Masonboro Urgent Care
McDonough Medical Group Psychiatry
Medical Care, Inc.
Medical Center of East Houston
Medicine Lodge Memorial Hospital
MedPartners
MHP Cardiology
Michael Mann, MD, PC
Michelle Barnes Marshall, P.C.
Michiana Gastroenterology, Inc.
Minneola District Hospital
Mora Surgical Clinic
Moundridge Mercy Hospital Inc
myhealthnow
Nancy L. Carteron M.D.
Naples Heart Rhythm Specialists
Nate Delisi DO
Neighborhood Health Clinic
Neosho Memorial Regional Medical Center
Neuro Spine Pain Surgery Center
Norman G. McKoy, M.D. & Ass., P.A.
North Corridor Internal Medicine
Nova Pain Management
Novapex Franklin
Oakland Family Practice
Oakland Medical Group
Ohio Physical Medicine & Rehabilitation Inc.
On Track For Life
Ottawa County Health Center
Pareshchandra C. Patel MD
Parkview Health System, Inc. d/b/a Family Practice Associates of Huntington
Parkview Health System, Inc. d/b/a Fort Wayne Cardiology
Parrott Medical Clinic
Partners In Family Care
Personalized Health Care Of Tucson
Phillips County Hospital
Physical Medicine Consultants
Physicians of North Worchester County
Precision Weight Loss Center
Primary & Alternative Medical Center
Prince George's County Health Dept.
Rebecca J. Kurth M.D.
Relief Center Republic County Hospital
Ricardo S. Lemos MD
Richard A. Stone M.D.
Richard Ganz MD
River Primary Care
Rolando P. Oro MD, PA
Ronald Chochinov
Sabetha Community Hospital
Santa Cruz Pulmonary Medical Group
Santone Chiropractic
Sarasota Cardiovascular Group
Sarasota Center for Family Health Wellness
Sarasota Heart Center
Satanta District Hospital
Saul & Cutarelli MD's Inc.
Shaver Medical Clinic, P. A.
Skiatook Osteopathic Clinic Inc.
Sleep Centers of Fort Wayne
Smith County Hospital
Smith Family Chiropractic
Somers Eye Center
South Forsyth Family Medicine & Pediatrics
Southeast Rehabilitation Associates PC
Southgate Radiology
Southwest Internal Medicine & Pain Management
Southwest Orthopaedic Surgery Specialists, PLC
Stafford County Hospital
Stephen Helvie MD
Stephen T. Child MD
Susan A. Kubica MD
Texas Childrens Hospital
The Children's Health Place
The Heart & Vascular Specialists
The Heart and Vascular Center of Sarasota
The Imaging Center
The Johnson Center for Pelvic Health
The Medical Foundation, My Lab Results Portal
Thompson Family Chiropractic
Trego County Hospital
Union Square Dermatology
Volunteers in Medicine
Wells Chiropractic Clinic
Wichita County Health Center
William Klope MD
Wyoming Total Health Record Patient Portal
Yovanni Tineo M.D.
Zack Hall M.D.

The MIE press release included few details about exactly how hackers accessed its systems:

"On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data."

The breach highlights the need for greater transparency by both health care providers and the outsourcing vendors they hire. The breach also highlights the fact that medical records are stored and accessible via cloud-based services. Did you know that? I didn't before. And, this raises the question: is storage of PHI in the cloud the best and safest way?

The breach notices from MIE to consumers may create confusion, since patients don't do business directly with MIE and probably won't recognize its name. My wife received a breach notice on Friday and did not recognize MIE by name. I hadn't heard of MIE, either, so I did some online research. During June, MIE notified both the California Attorney General's office (Aobe PDF) and the New Hampshire Attorney General's office (Adobe PDF) of residents in each state affected by the data breach. MIE is represented by the law firm of Lewis, Brisbois, Bisgaard and Smith LLP (LBBS). LBBS has offices in 35 states and the District of Columbia.

MIE probably notified several other states, but many states, including the Massachusetts Attorney General's office, do not post online breach notices they receive. (They should, since it helps consumers verify breach notices.) HIPAA federal law requires certain entities to send breach notices to affected patients for breaches of unprotected data affecting more than 500 patients. At press time, a check of the Health & Human Services site did not find an MIE breach listing. When posted, it should reveal the total number of patients affected by the breach.

The breach notice my wife received was dated July 17, 2015. It repeated information already available online and offered few, new details. It began:

"My name is Eric Jones and I am co-founder and COO of Medical Informatics Engineering, a company that provides electronic medical record services to certain health care provider clients, including Concentra. On behalf of Medical Informatics Engineering, I am writing to notify you that a data security compromise occurred at medical Informatics Engineering that has affected the security of some of your personal  and protected health information. This letter contains details about the incident and our response..."

My wife didn't recognize either Concentra nor No More Clipboard by name. The notice she received listed the following patients' information as exposed or stolen:

"While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected. The affected information: SSN, Address, Phone, Birth Date"

This seemed vague. Which address: e-mail or residential street address? Which phone: mobile, land-line, or both? Were Social Security Numbers stored in open or encrypted format? And, if not encrypted, why not? The breach notice didn't say much.

Then, there is this: the breach letter my wife received included far fewer information elements than the July 24, 2015 press release:

"The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information."

This raised the question: which MIE document is correct? The breach notice, the press release, or neither? The notice seemed to raise more questions than it answered, so Monday morning we called the MIE hotline listed in its breach notice. After waiting 50 minutes on hold, a representative finally answered. The phone representative identified herself and her employer, Epic Systems based in Oregon. So, MIE outsourced the hotline support portion of its post-breach response.

I asked the representative to explain exactly how MIE acquired my wife's medical records. She looked up my wife's record in their system and replied that MIE had acquired it through business with Concentra. This was puzzling since neither my wife nor I have done business with Concentra. So, I was on the phone with one subcontractor who was pointing the finger at another subcontractor. Lovely. And, nobody on the phone actually from MIE. Disappointing.

Next, I called the nearest Concentra office, which is 17 miles away in Wilmington, Massachusetts. (We live in Boston.) The person in the billing department was helpful. (She admitted that she, too, had received a breach notice from MIE.) The representative attempted to find my wife's information in Concentra's systems. As my wife and I thought: no record. We have not done any business with Concentra. Confirmed.

The Wilmington-office representative's first answer was to give me the MIE breach hotline number. I explained that I had already called the MIE hotline. Then, the representative provided a regional contact in Concentra's human resources department. I have called Tyree Wallace twice, but so far no response. Not good.

What to make of this situation? One vendor's system has errors, but I can't yet tell which: MIE or Concentra. Maybe that's a result of the hack. May be not. The whole situation reminds me of the robo-signing and residential mortgage-back securities scandals by banks, where shortcuts were taken without proper documentation and items repackaged, sold, and resold without disclosures -- nobody knew exactly what was what. An epic mess. Could a similar epic mess happened with electronic medical records? I hope not.

I reviewed the breach notice again, bu this time focused upon MIE's offer of two years of free credit monitoring services with the Experian ProtectMyID Elite service. The ProtectMyID website lists the following features:

"Credit Monitoring: You may review your credit card statements every month for purchases you didn't make. But, every day, we check your credit report for other types of fraud that are much more dangerous. We watch for 50 leading indicators of identity theft. Each one, from a new loan to medical collections, poses a unique threat to your identity that we'll help you address."

"Internet Scan: ProtectMyID continually monitors a vast number of online sources where compromised credit and debit card numbers, Social Security numbers and other personal data is found, traded or sold, helping reduce your potential exposure to identity theft."

"National Change of Address Monitoring: Your bills and monthly statements can feed criminals important account and personal information. An identity thief may steal a single piece of your mail or all of it with a fraudulent change of address request at the post office. Every day, we look for the red flags. We monitor address changes at the national and credit report levels and help you resolve any issues."

Is this a good deal? Each affected patient can decide for their self, since you know your needs best. Plus, patients' needs vary. The Internet scan and address monitoring features sound nice, but only you can determine if you need those protections. While two years of free credit monitoring is better than one year, I couldn't find an explicit statement in the site where ProtectMyID monitors credit reports at all three credit reporting agencies (e.g., Experian, Equifax, TransUnion), or only one. Monitoring only one doesn't seem like effective coverage. In 8+ years of blogging, I've learned that criminals are smart and persistent. Monitor only one branded credit report (e.g., Experians), and criminals will approach lenders who use other branded credit reports, in order to take out fraudulent loans.

So, what to make of this breach? I see several issues:

  1. Transparency matters: the MIE breach and its post-breach response highlight the importance of transparency. Health care providers and outsourced vendors should make it easy for patients to determine who has their electronic health records and why. Breach notices should clearly state both the EHR vendor's name and the health care provider each patient specifically used. Don't use vague, confusing language MIE used. (See above.) Be specific and clear in breach notices. Something like this would be better: "We acquired your electronic health records during [year] from Concentra. It was acquired for [insert reasons]."
  2. Update online policies: health care provider's websites should identify the EHR vendors by name in their policies (e.g., terms of use, privacy). EHR vendor sites should identify their clients. Why? When breaches happen, patients need to quickly and easily verify the vendor's breach notice received. When policies don't mention vendors by name, verification is harder.
  3. Effective credit monitoring: ideally, provide a free service that monitors credit reports at all three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion), not one.
  4. Cloud-based EHR services: is this the best, safest way to store PHI? Cloud storage offers speed, flexibility, and storage benefits. But what about security? Can PHI be effectively secured and protected in the cloud? If you want to learn more, read this 2013 report by the Center for Democracy & technology about HIPAA compliance and cloud storage (Adobe PDF). The MIE breach highlights the risk. Time will tell if experts were correct. Time will tell if cloud-storage vendors can adequately protect electronic health records (EHR).

In my opinion: an epic fail is brewing. It seems that MIE has done, so far, the minimum with its post breach response. The efforts seem focused upon avoiding liability instead of helping affected patients. So far, MIE has failed to provide a satisfactory answer about when, how, and why it acquired my wife's electronic medical records. I look forward to more disclosures by MIE about exactly how hackers breached its system, and what it will do so this doesn't happen again.

During the next day or so, my wife and I will file a HIPAA complaint. I encourage other patients in similar situations to file complaints, too.

Did you receive a breach notice from MIE? What are your opinions of the MIE data breach and the company's response? Of the free ProtectMyID credit monitoring arranged by MIE? If you have used Concentra, what are your opinions of it?


FTC Alleged Lifelock Violated 2010 Settlement Agreement. Company Stock Price Plunged

Lifelock logo You've probably seen the advertisements on television. Lifelock provides identity protection services. Last week, the U.S. Federal Trade Commission (FTC) took action against Lifelock for allegedly violating the terms of its 2010 settlement. The FTC press release:

"... from at least October 2012 through March 2014, LifeLock violated the 2010 Order by: 1) failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers; 2) falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; and 3) failing to meet the 2010 order’s recordkeeping requirements... from at least January 2012 through December 2014, LifeLock falsely claimed it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem..."

The 2010 settlement resulted after FTC allegations that LifeLock used false claims to promote its identity theft protection services. The settlement stopped the company and its executives from making such claims, and required the company to take stronger measures to protect customers' personal information. The 2010 settlement included a $12 million payment for consumer refunds.

Todd Davis, Chairman and CEO, responded to the FTC allegations in Lifelock's blog:

"LifeLock has been up front and transparent that we have been in a dialogue with the Federal Trade Commission for more than 18 months. During this time, we have worked with agency staff and commissioners, striving to come to a satisfactory resolution. Despite our efforts, we were unable to do so. As a result of our unwillingness to agree to an unreasonable settlement, the agency has decided to litigate its claims. We disagree with the substance of the FTC’s contentions and are prepared to take our case to court."

The legal motions were filed under seal. Lifelock is based in Tempe, Arizona. AZCentral reported:

"LifeLock shares fell more than 49 percent after the FTC accused the company of violating terms of a 2010 settlement by continuing to deceive customers and failing to protect their data... Their assurances did little to stave such a massive sell-off of shares. Because of the plunge, the New York Stock Exchange was twice forced to suspend trading of LifeLock as the share price dropped from $16.05 to close at $8.15."

Consumer Reports reviewed the Lifelock service in 2013:

"The bottom line: Protect yourself for less. Monitor your financial statements and credit reports for suspicious activity that can lead to identity theft. If your credit cards are lost or stolen, you don’t need LifeLock to notify your financial institutions to cancel and replace them. If your Social Security number is out there, we suggest that you put a security freeze on your credit reports at the big three credit bureaus–Equifax, Experian, and TransUnion. That will prevent creditors from accessing your file if a crook tries to open a new account in your name... But there is usually no charge if you’re already a victim of ID theft. Credit bureaus consider credit- and debit-card theft as identity theft, so it should be easier for you to get free freezes."

Past pitch persons for Lifelock have included former prosecutor and New York City Mayor Rudy Giuliani, and radio personality Rush Limbaugh.

July 24 view of Rush Limbaugh site


Ashley Madison Breach Highlights Privacy Flaw In Many Websites

Ashley Madison home page image

Many news websites have reported about the data breach at the Ashley Madison website, and have focused upon the tantalizing aspects: hackers stole information about customers of a website designed to help spouses cheat, and then threatened to release that information unless the site shuts down. The Ashley Madison site has about 37 million subscribers, and is owned by Avid Life Media.

On Monday, the Avid Life Media distributed this press release:

"We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We apologize for this unprovoked and criminal intrusion... and have had stringent security measures in place, including working with leading IT vendors from around the world. At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible. Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online."

The breach highlights a common privacy flaw, which Troy Hunt analyzed and documented in his blog. He provided this warning to consumers:

"... here’s the the lesson for anyone creating accounts on websites: always assume the presence of your account is discoverable. It doesn’t take a data breach, sites will frequently tell you either directly or implicitly."

The last thing a cheating spouse wants to hear is that their account is discoverable. How do websites break users' online privacy? Mr. Hunt cited one example: the password reset feature.

Most sites have this feature. You've probably used the feature at your favorite websites, and never thought much about it. The feature allows a registered customer who have forgotten their password, to get a new one so they can sign into the site. The first step of a password reset feature is usually a form for the user to enter their e-mail address. Mr Hunt explained why this is a problem:

"Nine times out of ten, you submit this form and the site explicitly tells you that the email address doesn’t exist thus exposing when an email address does exist courtesy of a different response message. But Ashley Madison is different... it doesn’t deny the presence of the account."

So, a curious wife or husband could enter their spouse's e-mail address to see if he/she uses the site. Mr. Hunt's blog post presented images of Ashley Madison's forgot password feature, so I won't repeat them here. You can browse them for yourself. The important point is this: Ashley Madison's password reset feature was both good and bad. It was good because the copy in the response screen did not disclose the existence of an account:

"Thank you for your forgotten password request. If that email address exists in our database, you will receive an email to that address shortly"

It was bad -- or more precisely, failed -- because the site's feature sends a different response screen to customers versus non-customers, thereby implicitly indicating the existence, or not, of an account. During the eight years I've written this blog, I've learned one chief thing: hackers are creative, smart, and persistent. They use the same software and tools as the good guys. They read the same websites the good guys read. So, you can bet that the hackers have learned what Mr. Hunt discovered. Now, you know.

This is why Mr. Hunt concluded:

"Your affairs were never discreet – Ashley Madison always disclosed customer identities"

A better privacy approach is for password-reset features to ask for a username instead of an e-mail address.That offers a bit more protection. This article in The Verge explained why the above privacy flaw exists in many websites:

"... was true long before the [Ashley Madison] hack, and it was a serious data leak — but because it followed standard web practices, it slipped by mostly unnoticed. It's not the only example: you could make similar points about data retention, SQL databases or a dozen other back-end features. This is how web development usually works. You find features that work on other sites and you copy them, giving developers a codebase to work from and users a head start in figuring out the site. But those features aren't usually built with privacy in mind, which means developers often import security problems at the same time. The password reset feature was fine for services like Amazon or Gmail, where it doesn't matter if you're outed as a user — but for an ostensibly private service like Ashley Madison, it was a disaster waiting to happen."

How do your favorite websites present their password reset features? If you have encountered a site with the above privacy flows in its password reset feature, please share below.


Costco, CVS, And Wal-Mart Canada Investigate Possible Data Breaches

Walmart logo On Friday, CVS and Wal-mart Canada announced investigations into possible data breaches at their photo centers. On Monday, Costco announced a similar investigation about a possible data breach. Costco has also suspended operations of its photo centers. The number of credit card customers affected is unknown at all three retailers.

The outsourcing vendor involved is PNI Digital Media, with offices in Vancouver, British Columbia (Canada) and England. According to its website, PNI Digital Media operates 19,000 retail locations and 8,000 in-store kiosks. The New York Times reported:

CVS logo

"... the breaches highlighted the importance of more rigorously vetting I.T. vendors at a time when companies outsource more and more of their technology operations. Vendors have often proved to be the weakest link..."

Staples acquired PNI Digital Media in July, 2014. At press time, the vendor's latest tweet was May 20, two months ago. That tweet announced that hiring was underway for several positions, including front and back-end developers.

Until the retailers announce more about their breaches, experts advise customers of the above retail stores to closely monitor their bank and card statements for fraudulent charges.


Police Officer Charged with Insurance Fraud

[Editor's Note: I am happy to feature a post by guest author Arkady Bukh. He leads the law firm of Bukh & Associates, PLLC which specializes in criminal law, family law, and several areas of civil law. He is a frequent contributor on CNN, Wired, Forbes, Huffington Post, and several other sites. Today's post is about insurance fraud.]

By Arkady Bukh, Esq.

Occasionally, insurance claims are more fiction that reality.

Adjusters know that not every case is as it seems. Some are complex and others bizarre — if not downright creative. Sometimes it appears that the protected have no remorse when it comes to submitting claims that no sane and rational person would think about.

Insurance fraud claims probably require the greatest ingenuity. According to the Insurance Information Institute, fraud losses are over $30 billion a year. Add-on costs for health care fraud, $77 billion to $359 billion, and the damages add up quickly.

Insurance fraud falls into two types: hard and soft.

Hard fraud typically means someone deliberately creates a bogus claim application. Soft fraud is more of a crime of chance — padding a legitimate claim, changing a home location so that the insurance premiums are lower — that sort of thing.

Regardless if it’s hard or soft fraud, it’s all illegal and accounts for 5% to 20% of insurers’ claims costs.

The good news is that roughly 95% of insurers use antifraud technology that makes it easier to catch the crooks.

The best technology though doesn't stop some individuals from filing claims that shouldn’t have been filed.

Sometimes though the crooks’ stupidity trips them up. Here are two examples:

The Golfer

In a discussion on Quora.com, the online Q&A forum, one case of insurance fraud stands out.

An executive for a publicly traded corporation was big on golfing. As most serious amateurs, he was also big on the new clubs and all the gadgetry that golfers like to purchase.

The executive filed a multi-million dollar lawsuit for disability, claiming that he had fallen and hurt his back while on a business trip out of town.

Several private investigator firms, hired by our fraudster’s employer, were unable to gather information to disprove the disability claim.

Then, a creative Private Investigator came along and figured he could trap the alleged swindler using his love of golf against him.

Running a fake ad in the local newspaper, the PI announced that a new golf club manufacturer was opening up and would be giving away brand-new sets of clubs in exchange for a testimonial.

The VP saw the ad, made the call, and the PI came to the suspect’s house to measure him for his new clubs.

There was just one catch. The PI wanted to take some photographs of the VP using the clubs to go along with the testimonial.

The VP obliged, swung the clubs while the PI snapped away, and the rest of the story can be figured out quickly enough.

The Cop

Perpetrators of workers’ compensation fraud can be found in any job. Law enforcement officers aren’t immune.

Jaime Robinson, a veteran Pasadena police officer, found her undoing during the 2014 craze — ALS’s Ice Bucket Challenge.

Robinson was away from work on a disability claim when someone with a camera captured her on video showing her pouring a bucket of ice water on a fellow cop.

The five-gallon bucket, weighing in at 42 pounds, wasn’t too much for her to lift despite receiving over $116,000 for the past year in disability payments.

Charged with four counts of insurance fraud, Robinson faces a maximum of six years and four months in prison if she’s convicted.


More People Get Their News From Twitter And Facebook

Facebook logo Facebook is not just about lolcats, selfies, and epic partying. More people get their news from Facebook and Twitter.

Pew Research reported several findings from a recent survey of 2,035 U.S. adults. 63 percent of users get their news from the Twitter and Facebook. Both social networking services saw increases. In 2013, it was 52 percent for Twitter users and 47 percent for Facebook users. The number of adults using both services (17 percent use Twitter and 66 percent use Facebook) remained fairly constant during this period.

There were more key findings:

"Twitter news users are more likely than their counterparts on Facebook to report seeing news about four out of 11 topics: national government and politics (72% vs. 61%), international affairs (63% vs. 51%), business (55% vs. 42%) and sports (70% vs. 55%)... The rise in the share of social media users getting news on Facebook or Twitter cuts across nearly every demographic group... When it comes specifically to news and information about government and politics, Facebook users are more likely to post and respond to content, while Twitter users are more likely to follow news organizations."

Twitter logo Pew Research Center conducted the survey jointly with the John S. and James L. Knight Foundation. Both social networking sites have focused upon breaking news content. Twitter will soon launch:

"... its long-rumored news feature, “Project Lightning.” The feature will allow anyone, whether they are a Twitter user or not, to view a feed of tweets, images and videos about live events as they happen, curated by a bevy of new employees with “newsroom experience.” And, in early 2015, Twitter purchased and launched the live video-streaming app Periscope...  in May, Facebook launched Instant Articles, a trial project that allows media companies to publish stories directly to the Facebook platform... in late June, Facebook started introducing its “Trending” sidebar to allow users to filter by topic and see only trending news about politics, science and technology, sports or entertainment."


Update: Massive Data Breach At OPM Federal Agency

Office of Personnel Management logo Update on the massive data breach at the Office of Personnel Management (OPM). After discovering in April 2015 that the sensitive personal information of 4.2 million persons was compromised, on July 9 the OPM announced that the number of affected persons was far larger:

"... OPM discovered that additional information had been compromised: including background investigation records of current, former, and prospective Federal employees and contractors. OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen."

Additionally, The OPM has not yet notified all affected persons. It has promised to provide free credit monitoring services to persons whose Social Security numbers have been compromised or stolen.

As a result of the massive breach, OPM Director Katherine Archuleta resigned on Friday, July 10. Reportedly, the hacking began before Archuleta assumed the director position.

Some news organizations characterized the OPM breach as "epic." While the sensitive data stolen in the OPM breach is very troubling, there have been several larger data breaches, defined by the number of records compromised or stolen. The TJX Companies / TJ Maxx breach affected about 94 million persons. The Heartland Payment Systems data breach affected 130 million persons, affected both retail stores and banks, and resulted in numerous lawsuits. The Sony Playstation Network data breach affected 77 million persons; but totaled more than 100 million persons after adding the 25 million persons affected by the breach at Sony Online Entertainment (SOE). Earlier this year, the Anthem, Inc. breach breach affected 80 million persons, including patients and staff.

Many politicians had called for the OPM Director's resignation. If this is the expectation, then CEOs at corporations with massive data breaches should also lose their jobs, unless shareholders find these massive breaches acceptable.


Do Foreign Governments Have a Right To Spy On American Citizens Inside Their Homes? One Country Believes So

Just when you think that the surveillance news can't get any more bizarre, along comes this item. The Electronic Frontier foundation (EFF) will argue in a Federal court today at 2:00 pm for an American seeking to to proceed with a lawsuit against the Ethiopian government. Lawyers in the United States representing the Ethiopian government want the case dismissed and claim:

"... that foreign governments have a right wiretap Americans inside their own homes without court oversight, a right that not even the U.S. government claims for itself."

The plaintiff, an American, uses the pseudonym "Mr. Kidane" to protect his family both in the United States and in Ethiopia. Mr. Kidane wants to sue the Ethiopian government in a United States court for:

"... infecting his computer with secret spyware, wiretapping his private calls, and monitoring his family’s every use of the computer for weeks... EFF Staff Attorney Nate Cardozo will argue Tuesday that Ethiopia must answer in court for the illegal spying on Mr. Kidane. The case is also supported by the law firm of Robins, Kaplan, Miller and Ciresi, LLP."

According to the EFF press release, the spyware allegedly found on Mr. Kidane’s computer was identified as:

"... part of a systemic campaign by the Ethiopian government to spy on perceived political opponents. The malware in this case was a program called FinSpy, surveillance software marketed exclusively to governments by the Gamma Group of Companies. Just recently, leaked documents have shown that a competing spyware company called Hacking Team has also provided covert surveillance software to Ethiopia..."

The New York Times reported in August 2012 that FinSpy was:

"... one of the more elusive spyware tools sold in the growing market of off-the-shelf computer surveillance technologies that give governments a sophisticated plug-in monitoring operation. Research now links it to servers in more than a dozen countries, including Turkmenistan, Brunei and Bahrain, although no government acknowledges using the software for surveillance purposes."

In 2012, experts estimated the size of the spy-software market at $5 billion. I believe consumers can safely assume that the spyware market is far larger today. Founded during the 1990s, the Gamma Group sells turnkey surveillance software globally to governments. "Turnkey" means completed, finished software that is ready to operate. You might say it's plug-and-play.

The Washington Post reported in February 2014 that Mr. Kidane:

"... came to the United States 22 years ago, won political asylum and now is a U.S. citizen living in Silver Spring, Md. He provides “technical and administrative support” to an Ethio­pian opposition group, Ginbot 7, but is not a formal member of that group..."

The lawsuit highlights the risks when consumers use the Internet. What are your opinions of this lawsuit?


Discover Introduces 'Smart' Credit Cards With EMV Chip Technology. Are We There Yet?

Discover chip credit card This month, Discover Bank began to ship upgraded credit cards for its cardholders. The new "smart" credit card includes an embedded EMV chip that offers far more security. The chip stores and transmits encrypted data with a unique identifier for each transaction. The EMV chip technology was developed jointly by Europay, MasterCard, and Visa.

In the United States, cardholders will use the new cards the same way they used the old cards with the obsolete magnetic strip technology. At retail stores with older terminals, cardholders will continue to swipe their cards to make purchases. At retail stores with the chip-enabled terminals, cardholders will instead insert their card into the new terminals. To withdraw cash at bank ATM machines, a PIN number is required.

Like other new credit cards in the United States, the new Discover credit cards use "chip and signature" technology. I asked a Discover customer service if their new credit cards could be used in Europe, where cards use the "chip and PIN" technology. (When the United Kingdom switched to EMV chip cards years ago, fraud in stores there decreased 70 percent.) The customer service rep stated that the new cards could be used in Europe, provided the cardholder sets up a PIN number before their trip.

Wise readers note the limitations. The new chip cards won't stop hacks and data breaches at companies, employers, and banks that archive consumers' payment information. The new chip cards won't offer any more security or payment protections until retail stores upgrade their terminals. Credit Card Forum described the method being used to encourage retailers to upgrade by October 2015:

"... the card networks (Visa, MasterCard, AmEx and Discover) are giving both [retail merchants] and card-issuing banks an incentive (both a carrot and a stick) to upgrade by October 2015. At that point, the networks will institute a “fraud liability shift.” That’s a fancy way of saying “adapt or pay.” If a consumer’s card is involved in fraud, whichever party involved in the transaction (the bank that issued the card or the merchant that accepted it) that didn’t upgrade to EMV will be held accountable."

Retailers see the situation differently. CNBC published a retail spokesperson's commentary about the new "chip and signature" credit cards:

"Retailers are also asking card issuers to take more than a half step, and issue "chip and PIN" cards to American consumers. As it currently stands, banks are only issuing "chip and signature" cards in the United States, a less secure standard as signatures can easily be forged. It has been reported by the Federal Reserve that including a PIN makes a transaction up to 700 percent more secure, yet to date, banks are not issuing these cards to American customers... The fastest, easiest and smartest thing we can do to make transactions more secure in the near term is to upgrade credit cards with Chip and PIN technology. Retailers are making the investments needed to accept them, but we need the financial industry to make the same commitment."

Discover chip card and new terminalSeveral banks and card issuers in the United States offer EMV-chip credit cards:

  • American Express Premier Rewards Gold
  • Bank of America Travel Rewards
  • Capital One VentureOne Rewards
  • Chase Freedom
  • Chase Sapphire Preferred
  • Citi Diamond Preferred
  • Marriott Rewards Premier
  • Plenti Credit Card from Amex
  • USAA Preferred Cash Rewards World MasterCard

Browse a longer list of EMV-chip cards available in the United States. Both cardholders and non-cardholders can learn more about the new chip credit cards at the Discover site.

Why go part of the way and introduce EMV chips with signature instead of with PIN numbers? Seems to me, the banks seem mare more interested in shifting the liability of data breaches from them to retailers, rather than provide cardholders with state-of-the-art EMV security that's already available in most other parts of the world.

What are your opinions of the new "chip and signature" credit cards in the United States?


Supreme Court Ruling About Marriage Will Make Banking Easier For Many Consumers

After the U.S. Supreme Court's ruling in June that legalized marriage nationwide in the United States for gay and lesbian couples, the American Banker magazine reported:

"Executives at big, regional and community financial institutions described the ruling as just and said it would simplify estate planning for some customers, hiring and other business matters... C1 Bank CEO Trevor Burgess, the first openly gay CEO of a bank listed on the New York Stock Exchange, reiterated this sentiment, noting that the decision would benefit businesses "by removing the patchwork system of laws that has led to the need for expensive and complex estate planning and legal maneuvering."

Before the Supreme Court's ruling, same-sex marriage was legal in 37 states. Many bank executives took the opportunity to highlight their inclusive hiring practices. And:

""The U.S. Supreme Court's decision provides important consistency and clarity in same-sex marriage laws across our country," Wells Fargo said in an email to American Banker. Wells Fargo recently became the first bank to showcase an LGBT couple in a nation television ad."

 Making banking easier is a good thing. Lowering and eliminating fees would be good, too.


Study: Google May Skew Search Results To Its Content

Consumers use search engines with the assumption that the search results are unbiased. That is, the search results deliver what's available on the Internet and not what the search engine decides for you. The review website Yelp funded a study where researchers at Harvard and Columbia:

"... presented 2,690 web users with two versions of Google. One version showed search results for local businesses as users usually see them, with links to the businesses along with ratings as posted to a Google site. The other version showed links to businesses along with ratings from rival sites like Yelp... The people studied were 45 percent more likely to click on links if Yelp and other competitors were included — a sign, researchers say, that users prefer more diverse search results."

The study is important because it may force government regulators, including the U.S. Federal Trade Commission (FTC), to reopen investigations into online search practices. Google and the FTC reached a settlement in January 2013 about concerns that the company's business practices stifled competition.

Results about the Yelp-funded study were reported in the Focus On The User website:

"You might think that Google gives you the best answers from across the web when you search for something as important as a pediatrician in Munich, a bicycle repair shop in Copenhagen, or a hotel in Madrid. But Google doesn’t actually use its normal organic search algorithm to produce the responses to this question that you see prominently on the first screen. Instead, it promotes a more limited set of results drawn from Google+ ahead of the more relevant ones you would get from using Google's organic search algorithm."

To learn more, I encourage you to watch the six-minute video below, which is also available on Youtube:


China's New National Security Law Raises Intellectual Property, Privacy, And Supply Chain Concerns

The New York Times reported about China's new national security law and how it will affect U.S.-based corporations doing business there. The new law also raises intellectual property, privacy, and supply-chain concerns. What is different about the new law:

"New language in the rules calls for a “national security review” of the technology industry — including networking and other products and services — and foreign investment. The law also calls for technology that supports crucial sectors to be “secure and controllable,” a catchphrase that multinationals and industry groups say could be used to force companies to build so-called back doors — which allow third-party access to systems — provide encryption keys or even hand over source code."

MSS Indisde The term "controllable" seems to imply a lot more than access via back doors to software and computing systems. Closely related to this new law are disagreements between the United States and China:

"The United States has accused China of state-sponsored hacking attacks against American companies to gain a commercial advantage... In turn, China maintains that the disclosures by Edward J. Snowden, the former United States National Security Agency contractor, about American online espionage give it plenty of reason to wean itself from foreign technology that may have been tampered with by United States intelligence agencies."

The Ministry of State Security is China's intelligence agency. In April, China withdrew a law that:

"... restricted which technology products could be sold by foreign companies to Chinese banks. Groups that represent companies like Apple, Google and Microsoft had pushed against that law."

Australia's Sydney Morning Herald reported:

"... the Chinese government has enacted a new national security law that amounts to a sweeping command from President Xi Jinping to maintain the primacy of Communist Party rule across all aspects of society. The law is expected to bolster the power of China's domestic security apparatus and military. The law says "security" must be maintained in all fields, from culture to education to cyberspace... security must be defended on international seabeds, in the polar regions and even in outer space."

The Herald added:

"The law is one of three being scrutinised by foreign leaders and corporate executives... The other two laws are expected to be passed soon; one would regulate foreign non-governmental organisations and place them under the oversight of the Ministry of Public Security, and the other is a counterterrorism law... Legal scholars and analysts in China say it will probably lead to the security apparatus amassing more power..."

The U.S. Chamber of Commerce and several companies sent a letter in January 2015 to China calling for more discussions about the new law. The new laws seem to be clear rejection of that request.

NSA Android logo So, there are more security laws to come from China. China's new law raises several questions:

  1. How will high-tech companies respond? Will they comply, fight the new laws, or relocate their businesses to more hospitable countries?
  2. Will Apple permit the Chinese to have back doors or keys to its products after denying that to the U.S. intelligence community?
  3. reportedly, Google has included NSA code in its software. Will it also allow the MSS to include code?
  4. How will IBM, Cisco, Microsoft, and other high-tech companies respond?
  5. Is it possible to technically alter software products and Internet service for only the Chinese market, which aren't sold in other countries?
  6. If #5 is possible, would other countries' governments accept differentiated products, or demand the same backdoor access as China?
  7. How will the new law affect the Internet of Things (ioT); especially including Internet-capable appliances made in China?

NSA Inside logo What are your opinions of China's new security law? Are there any more issues or questions than the seven listed above? How do you think U.S.-based corporations should respond to China's new law?


FISA Court Rules NSA Bulk Phone Metadata Collection Program Can Resume

National Security Agency logo On Monday the Foreign Intelligence Surveillance Court ruled that the National Security Agency (NSA) can temporarily resume for six months its bulk collection of metadata about Americans' phone calls. The program had ended on June 1 when the law it was based upon, Secton 215 of the USA Patriot Act, expired. The New York Times reported:

"Congress revived that provision on June 2 with a bill called the USA Freedom Act, which said the provision could not be used for bulk collection after six months. The six-month period was intended to give intelligence agencies time to move to a new system in which the phone records — which include information like phone numbers and the duration of calls but not the contents of conversations — would stay in the hands of phone companies."

The Second Circuit Court of Appeals ruled in May that the bulk phone records program violated the USA Patriot Act. Also:

"... After President Obama signed the Freedom Act on June 2, his administration applied to restart the program for six months. But a conservative and libertarian advocacy group, FreedomWorks, filed a motion in the surveillance court saying it had no legal authority to permit the program to resume,"

The FISA Court ruled against the motion by FreedomWorks. For those interested, read the full text of the June 29, 2015 FISA Court opinion.

Senator Ron Wyden said in a statement:

"I see no reason for the Executive Branch to restart bulk collection, even for a few months. This illegal dragnet surveillance violated Americans' rights for fourteen years without making our country any safer... It is disappointing that the {Obama] administration is seeking to resurrect this unnecessary and invasive program after it has already been shut down. However I am relieved this will be the final five months of Patriot Act mass surveillance... It will take a concerted effort by everyone who cares about Americans' privacy and civil liberties to continue making inroads against government overreach."

So, while the official bulk phone records collection program is ending on November 29, 2015, one could argue that not much has really changed since experts say the telephone companies will perform the phone records collection and archiving instead.

What are your opinions?


Celebrating 8 Years Online!

Eight years ago today, I started the I've Been Mugged blog. Since then, I've learned a lot about identity theft, fraud, privacy, surveillance, and data breaches. This blog has been a good tool to organize my thoughts, learnings, and the online resources I've found.

So, I'd like to first thank all I've Been Mugged readers. I am grateful for your readership and for the comments you have submitted. We have explored together many interesting topics.

Second, I'd like to thank the bloggers and the consumer advocates I've met online. Without their suggestions and encouragement, The quality of I've Been Mugged posts wouldn't be as high. Some bloggers I'd like to thank by name: Lori Magno, Michael Krigsman, Drew McLelland, and Ronni Bennett (who leads by example far more than she realizes). I'd also like to thank my numerous followers on Twitter, including GetCocoon.

Third, I'd like to thank guest authors Bill Seebeck, and R. Michelle Green. Fourth, I'd like to thank the Privacy Crusaders. If you know who they are, then you know the good they've done.

Fifth, I'd like to thank IBM for losing my sensitive personal data during its February 2007 data breach. That incident caused me to start blogging, and more importantly to start thinking about the privacy of my personal information. The more I learned about data breaches and the way companies assist (or don't) their data-breach victims, the more I realized that I had to do something. Rather than be angry, blogging seemed like a healthy and appropriate response.

If you haven't noticed, I named this blog in honor of IBM's data breach = I've Been Mugged.

And, I especially want to thank my wife, Alison. Without her support and flexibility, I couldn't write I've Been Mugged.

What's next? The rapid pace of technological change means there is a lot to write about, such as the Internet of Things (ioT). We'll continue to cover the FCC and Net Neutrality, plus banking and mobile devices, If it's a controversial issue that has privacy concerns, we'll cover it.

If you are a new visitor, there are several easy ways to explore the blog:

  • The right column includes a tag cloud with subjects
  • The right column also includes featured blog posts
  • If you don't see a topic you want, try the search box on the right
  • To find older blog posts, select Archives in either the top horizontal navigation bar or in the footer navigation bar
  • To access product and service reviews, select Reviews in the above horizontal navigation bar