Previous month:
March 2016
Next month:
May 2016

16 posts from April 2016

Survey: U.S. Households Have More Connected Televisions Than Set-Top Boxes

A recent survey found that most households in the United States with televisions have them connected to the Internet. According to the Leichtman Research Group:

"... 65% of US TV households have at least one television set connected to the Internet via a video game system, a smart TV set, a Blu-ray player, and/or a stand-alone device (like Roku, Apple TV, Chromecast, or Amazon Fire TV) -- up from 44% in 2013, and 24% in 2010... 74% [of households] have more than one device... Overall, there are more connected TV devices in US households than there are pay-TV set-top boxes..."

The survey included 1,206 households. It also included the types of televisions:

"79% of all TV sets in US households are HDTVs -- an increase from 34% of all TV sets in 2010, and 3% in 2004..."

And, satisfaction:

"70% of all [households] with a connected TV agree that streaming services like Netflix are easy to access via connected TV devices... 20% with a pay-TV HD set-top box agree that set-top boxes from TV companies are a waste of money, while 44 percent disagree... 42% [of households] with a pay-TV HD set-top box agree that set-top boxes from TV companies provide features that add value to the TV service, while 16% disagree... 68% [of households] with 3 or more set-top boxes are very satisfied with their pay-TV provider, compared to 54% [for households] with 1-2 set-top boxes..."

The U.S. Federal Communications Commission (FCC) has proposed unlocking set-top boxes to encourage more innovation, competition, choices, and lower prices for consumers. That's welcome news for households dissatisfied with set-top boxes they are forced to purchase from cable-TV providers.


Facebook Tweaks Its Display Algorithm For Members' News Feeds

Facebook logo If you use Facebook, then you probably know that the social networking site uses a formula, or algorithm to display status messages in users' News Feeds. The site doesn't display all content in your News Feed by your "friends" nor by companies, brands, or groups you follow.

Facebook explained the recent tweak to its display algorithm for users' News Feeds:

"... we ask thousands of people to rate their experience every day and tell us how we can improve what they see when they check Facebook — we call this our Feed Quality Program... we’ve found that there are stories people don’t like or comment on that they still want to see, such as articles about a serious current event, or sad news from a friend. Based on this finding, we previously updated News Feed’s ranking to factor in how much time you spend reading a post within News Feed, regardless of whether you opened the article... we’re learning that the time people choose to spend reading or watching content they clicked on from News Feed is an important signal that the story was interesting to them. We are adding another factor to News Feed ranking so that we will now predict how long you spend looking at an article in the Facebook mobile browser or an Instant Article after you have clicked through from News Feed. This update to ranking will take into account how likely you are to click on an article and then spend time reading it..."

So, the algorithm now uses time spend reading a post to decide what it thinks will be relevant to you -- and then display that. If you don't spend time reading content from a particular source, then Facebook probably won't display it in your News Feed.

Want to see in your News Feed everything your "friends" posted? You can't. Do your "friends" see everything you posted? Nope. To see everything, you'll have to visit the Timeline for each "friend," business, group, or brand you're connected with. To get around this, some users "tag" their friends in the Comments section of status messages so they don't miss something important.

What are your opinions of Facebook's algorithm?


Justice Department Withdraws Lawsuit in Brooklyn To Force Apple To Unlock iPhone

Federal Bureau of Investigation logo The U.S. Department of Justice (DOJ) has withdrawn its lawsuit in Brooklyn, New York to force Apple Inc. to unlock the iPhone of a convicted drug dealer. The DOJ had appealed a judge's decision In February which denied the DOJ Reportedly, the DOJ can access the iPhone since an unnamed party provided it with the user's passcode.

In February, a judge had denied a request by the Federal Bureau of Investigation (FBI) in Brooklyn to force Apple to unlock the iPhone.The DOJ had appealed that decision. The DOJ had dropped a similar lawsuit in California to force Apple to unlock an iPhone used by one of the San Bernardino attackers after the FBI purchased a tool from an unnamed third party to hack the phone. Last week, the FBI revealed that the San Bernardino attacker's iPhone did not contain any information.

The Reuters report about the Brooklyn lawsuit also mentioned:

"Justice Department spokeswoman Emily Pierce said the cases have "never been about setting a court precedent; they are about law enforcement's ability and need to access evidence on devices pursuant to lawful court orders and search warrants." "

Both lawsuits were based upon the 227-year-old All Writs Law. I find Pierce's statement difficult to believe. It's possible, but hard to believe. With a legal precedent to force tech companies to provide "back door" access, the government probably wouldn't have to buy hacking tools from unnamed third parties.

What else might be happening? Perhaps, the government felt it's court cases were weak, and wanted to avoid another unfavorable decision. Perhaps, the government doesn't want to reveal in court any details about its hacking methods. Maybe it didn't hack the phone with a passcode from an unnamed source, but instead used the tool it bought in California -- and didn't want to disclose that the tools could be used widely across iPhone models.

Perhaps, the FBI is relying upon ultimate passage by Congress of the deeply flawed Compliance with Court Orders Act of 2016 (CCOA), written by Senators Richard Burr (R-NC) and Dianne Feinstein (D-Calif.). Passage of that legislation would give the FBI the access it wants to bypass all encryption methods, regardless of the privacy and economic consequences.

What are your opinions?


Open Letter By Tech Industry Associations Calls The Burr-Feinstein Anti-Encryption Proposal 'Unworkable'

Several technology industry associations have sent a joint, open letter to U.S. Senators Richard Burr (R-NC) and Dianne Feinstein (D-Calif.) about proposed legislation the Senators drafted. The Compliance with Court Orders Act of 2016 (CCOA) would force companies to de-encrypt communications on demand for law enforcement agencies.

The industry associations described the proposed legislation as "unworkable" in that it would "create government mandated security vulnerabilities" in digital products and services. The letter stated in part:

"We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm. We believe it is critical to the safety of the nation’s, and the world’s, information technology infrastructure for us all to avoid actions that will create government-mandated security vulnerabilities in our encryption systems... Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences. The effect of such a requirement will force companies to prioritize government access over other considerations, including digital security. As a result, when designing products or services, technology companies could be forced to make decisions that would create opportunities for exploitation by bad actors seeking to harm our customers... The bill would force those providing digital communication and storage to ensure that digital data can be obtained in “intelligible” form by the government, pursuant to a court order. This mandate would mean that when a company or user has decided to use some encryption technologies, those technologies will have to be built to allow some third party to potentially have access.  This access could, in turn, be exploited by bad actors... such a technological mandate fails to account for the global nature of today’s technology. For example, no accessibility requirement can be limited to U.S. law enforcement; once it is required by the U.S., other governments will surely follow. In addition, the U.S. has no monopoly on these security measures. A law passed by Congress trying to restrict the use of data security measures will not prevent their use. It will only serve to push users to non-U.S. companies, in turn undermining the global competitiveness of the technology industry in the United States..."

Four groups signed the open letter: Reform Government Surveillance (RGS), the Computer & Communications Industry Association (CCIA), the Internet Infrastructure Coalition (I2C), and the Entertainment Software Association (ESA). RGS members include Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter, and others. CCIA members include Amazon, Ebay, Google, Microsoft, Netflix, Pandora, PayPal, Samsung, Sprint, and others. I2C members include Amazon, Google, GoDaddy, HostGator, Verisign, and many more companies worldwide. ESA members include Activision, Disney Interactive Studios, EA, Konami, Nintendo, and others.

Privacy and security advocates itemized several problems with the CCOA. Some experts warn that the proposed legislation makes encryption illegal:

"... if the court orders you to provide the contents of a phone you made, a conversation on your messaging service, an account on your social network, or basically anything that has been made “unintelligible” using encryption, you are required by law to decrypt that information... the very foundation of encrypted communication is the deliberate and transparent impossibility of a third party listening in, service providers and manufacturers included. If it can be accessed, it isn’t encrypted. If it can’t be accessed, it isn’t legal..."

Earlier this month, Congressman Darrell Issa (R-CA), Chairman of the House Judiciary subcommittee responsible for the nation’s Internet policy, described the CCOA as:

“... about as flawed and technically-naive as a piece of legislation can get. Mandating that companies weaken our security to give government secret backdoor access into our devices would be a massive blow to American’s right to privacy and frankly would also be downright dangerous...”

The The full text of the CCOA discussion draft is available at Senator Burr's website and here (Adobe PDF, 35k).


The Information The FBI Found After Unlocking The San Bernardino Attacker's iPhone

Federal Bureau of Investigation logo Remember the Federal Bureau of Investigation (FBI) lawsuit using a 227-year-old-law to force Apple Inc. to build "back door" software to unlock an iPhone in California? The FBI said it couldn't unlock the phone, claimed the iPhone had important information on it, but later withdrew its lawsuit after it hired an unnamed third party to hack the iPhone. All of of this, you're probably wondering what information the FBI found on that unlocked iPhone.

Guess what they found? Nothing. Nadda. Zilch. Zip. Squat. CNN reported:

"Hacking the San Bernardino terrorist's iPhone has produced data the FBI didn't have before and has helped the investigators answer some remaining questions in the ongoing probe, U.S. law enforcement officials say... Investigators are now more confident that terrorist Syed Farook didn't make contact with another plotter during an 18-minute gap that the FBI said was missing from their time line of the attackers' whereabouts after the mass shooting... The phone didn't contain evidence of contacts with other ISIS supporters or the use of encrypted communications during the period the FBI was concerned about."

More confident? Either you're confident or you aren't. That's like being pregnant. You can't be more pregnant. But hey... you gotta love those unnamed sources. Sometimes they're accurate, and other times not.

Let's translate this into plain English. The attacker's phone contained nothing, which the FBI spun as valuable. Wow! That's like saying the bulk collection (e.g., spying) of all U.S. citizens' phone calls and emails was valuable because not finding anything proved they were not doing anything criminal.

Wow! The arrogance. The waste of time, money, and resources. It takes a brass set of balls to spin crap like this and keep a straight face.

Yet, the legal wrangling ain't over. An FBI versus Apple lawsuit in Brooklyn continues. And, as CNN reported:

"Apple and the FBI are squaring off again Tuesday in testimony at a House hearing on encryption..."

Yesterday's blog post discussed everything that is wrong With the Burr-Feinstein draft anti-encryption proposal circulating the U.S. Senate. The FBI must be feeling pretty cocky, since two Senators have its back while ignoring the consequences.

What are your opinions?


5 Things Wrong With the Burr-Feinstein Anti-Encryption Bill

If you haven't heard, two U.S. Senators proposed a bill that forces technology companies to assist law enforcement and break the encryption built into their products and services. The Just Security blog analyzed the proposed bill, called the Compliance with Court Orders Act of 2016 (CCOA).

The CCOA draft was written by Senators Richard Burr (R-NC) and Dianne Feinstein (D-Calif.), leaders of the Senate Intelligence Committee. It's chief provisions:

"Upon receipt of a court order or warrant for “information or data” sought by a federal, state, local, or tribal government in specific types of investigations or prosecutions, the CCOA requires covered entities to give the government the information or data in an “intelligible” (i.e., unencrypted) format, or to provide any “necessary” technical assistance to render it intelligible. The CCOA only kicks in if the data is “unintelligible” (i.e., encrypted) due to “a feature, product, or service” that is “owned, controlled, created, or provided” by the entity (or by a third party on its behalf). The bill says that no government officer can dictate or prohibit specific design requirements to comply with the law."

Covered entities include tech companies: software developers, device manufacturers, communications providers (wired and wireless), and "remote computing services (RCS)." There are several major things wrong with this proposed legislation:

"In short, the bill prohibits covered entities from designing encryption and other security features so encrypted data is accessible only to the user, not law enforcement nor the entity itself. This is what I would call “effective encryption,” but law enforcement derisively calls “warrant-proof” encryption."

Effective encryption makes sense. It is precisely what is needed by both consumers and businesses to protect and keep private sensitive information, proprietary information, and banking transactions. The Burr-Feinstein proposed bill forces tech companies to build products and services with weaker security:

"...The CCOA would prohibit covered entities in the US from implementing state-of-the-art data security in their products and services... effectively outlaw such cornerstone security concepts as end-to-end encryption, forward secrecy, and HTTPS, which encrypts web traffic against hackers, state-sponsored attackers, and other snoops... It makes covered “license distributors” responsible for the compliance of the software being distributed, meaning Apple’s and Google’s app stores would be on the hook for ensuring every app on offer has weak enough security to meet government standards. It would chill innovation by rendering it largely pointless to work on making software and hardware more secure, because only CCOA-compliant security architectures would be legal."

Think of CCOA-compliant security architectures as GovtOS. The government is forcing tech companies to build a GovtOS. That's wrong. Some of the things wrong with the CCOA:

"2. It can’t stop terrorists and criminals from hiding their activities. The joke in the infosec community used to be that “when crypto is outlawed, only outlaws will use crypto.” The joke’s on Burr and Feinstein... Not only are effective encryption offerings readily available from entities based outside the US, there are already millions upon millions of devices, apps, and software programs presently in use that employ the encryption to be banned going forward. The crypto cat is out of the bag, as New America’s Open Technology Institute put it, and law enforcement’s alarmist and unsupported “going dark” rhetoric can’t hide that fact."

"3. There is no “middle ground” on encryption. This one-sided bill tries to hold itself out as the “middle ground” on encryption... But as cryptography experts have repeatedly explained over the last two decades, there is no middle ground on this issue. Mandating a means of access for law enforcement simply isn’t “appropriate” data security. It is a vulnerability, whose use can’t be limited to “good guys” bearing a court order. This was true 20 years ago and it’s still true today."

That's why many security experts call the CCOA an "anti-encryption" proposal. There's plenty more that's wrong with the CCOA. Read the entire Just Security article.

The CCOA is myopic and wrong. It forces tech companies to build inferior products and services with weaker security; and places U.S.-based tech companies at a disadvantage in the world market. It forces tech companies to do, for free, the investigative work law enforcement should do themselves. The CCOA forces tech companies to build GovtOS, regardless of the negative economic consequences to industry and jobs.

If the CCOA bothers you (and I sincerely hope that it does), tell your elected representatives.


What Is Driving The Privacy And Security Focus At Apple

Apple Inc. logo What's driving Apple Inc.'s push for privacy and security for its users? Why is the tech company fighting the U.S. government so strenuously in court? The Techpinions blog explored some interesting reasons and perspectives:

"... balancing security with ease of use... This seemed to be a key phrase and philosophy that is driving Apple’s thinking... Apple is attempting something that seems unprecedented at an industry level. To bring industry leading security but do so by actually enhancing the user experience. Prior to Touch ID for example, many organizations required eight, and sometimes longer, PIN numbers... Apple shared a great statistic: their average users unlocks their phones 80 times a day... 89% of their users with a Touch ID-capable device have set it up and use it..."

That makes total sense. How secure are Apple devices? Consider:

"After sitting through the technical explanations of how Apple has specifically designed the interplay of custom silicon like the A-series processors, iOS, and the Secure Enclave coprocessor, I came to the realization that, while I knew the iPhone was a secure device, I really had no idea just how secure it actually is. It can’t be overstated how essential Apple’s custom designed silicon is to the security of iOS products. For example, in a Mac, running software designed by Apple but using a main CPU and GPU made by Intel/AMD/Nvidia, they have put security measures in place including encrypting the entire storage disk. However, with the custom A-series processors, custom designed secure enclave co-processor, and custom designed iOS, Apple is able to encrypt every single file on your iOS device, not just the entire disk... What I find most interesting about Apple’s story around security is how it goes much deeper than a feature. While security, in this case, could be perceived as a feature, my read on what Apple is doing is going a step beyond simply making security a feature and making it a priority. It is a deep guiding philosophy..."

Kudos to the executives at Apple. Other software developers, hardware manufacturers, law enforcement executives, and makers of Internet of Things (ioT) devices would be wise to take heed and learn. Consumers value their privacy greatly. We're awake and watching.


Drone Strikes Commercial Airliner While Landing At London Airport

Image of drone. Click to view larger version Several news organizations reported this morning that a drone struck a commercial airliner during its approach to land at an airport in England. CNN reported:

"British Airways Flight BA727 from Geneva, Switzerland, was coming in to land at London's Heathrow Airport when the pilot said he thought a drone had struck the front of the aircraft, London Metropolitan Police said."

During the drone strike, the plane was descending and at an altitude of about 1,700 feet. The plane landed safely and no passengers were injured. Officials inspected the plane and found no damage. Government authorities are investigating. They do not know who operated the drone, nor the type of drone. So far, officials haven't found any debris from the drone, during a land search.

In the United Kingdom, as in the United States, drone operators are supposed to operate their drones within flight restrictions (e.g., 400-foot maximum altitude, not near airports). The trouble is enforcement. There doesn't seem to be any way for government authorities to enforce the restrictions.

In the United States, the Federal Aviation Administration (FAA) is responsible for maintaining the safety of our skies. Current flight restrictions by the FAA for drones (also called Unmanned Aircraft Systems):

"Fly below 400 feet and remain clear of surrounding obstacles. Keep the aircraft within visual line of sight at all times. Remain well clear of and do not interfere with manned aircraft operations. Don't fly within 5 miles of an airport unless you contact the airport and control tower before flying. Don't fly near people or stadiums. Don't fly an aircraft that weighs more than 55 lbs. Don't be careless or reckless with your unmanned aircraft – you could be fined for endangering people or other aircraft

What does "near" mean: 5 feet, 5 yards, 50 yards, 500 yards, or 5 miles? What does "careless" mean? Enforcement seems to be an open security issue. There is nothing stopping drone operators from violating these flight rules. The FAA registration rules seem equally problematic:

"Anyone who owns a small unmanned aircraft that weighs more than 0.55 lbs. (250g) and less than 55 lbs. (25kg) must register with the Federal Aviation Administration's UAS registry before they fly outdoors. People who do not register could face civil and criminal penalties... The owner must be: 13 years of age or older...A U.S. citizen or legal permanent resident."

How is this enforced when anyone can walk into a retail store and buy a drone (or order one online)?

The Heathrow drone strike should not be a surprise. There were two near misses in New York in August last year.The CNN news story also reported:

"A recent report, based on the center's analysis of Federal Aviation Administration data from August 21, 2015 to January 31, 2016, said there were 519 incidents involving passenger aircraft and unmanned drones in the U.S. within that period."

Last year, U.S. Senator Chuck Schumer (Democrat-New York) proposed an amendment to Federal Aviation Administration Re-authorization bill to require all remote-controlled aircraft sold in the United States to have tracking mechanisms installed. The mechanisms would use geo-fencing technology to keep drones away from high-value targets, such as airports, major parades, the Pentagon, major sporting events, and sports stadiums.

Drones have many valid uses, including faster, easier safety inspections of infrastructure, such as bridges, residential roofs, towers, and stacks; plus commercial package delivery. While drone pilots have been required to register with the FAA since December, there are still many unregistered operators.

The Heathrow drone strike could have had a very different result. It seems the drone bounced off the plane's metal exterior. A strike that punctures a windshield, or damages an engine, could produce a different outcome.

Once terrorists figure out the security hole with drone flight enforcement, you can bet they will test security limits. Heaven forbid terrorists pack explosives on larger drones and successfully fly them into a commercial airliner. If this happens, the travel industry will take a huge economic hit as consumers fly less often; or stop flying altogether (and takes trains or buses). Related tourism industries and locations would also be affected economically. People will lose jobs.

Image of M1A2 Abrahms battle tank. Click to view larger image A more sensible approached would have been to have put in place drone flight rules combined with effective enforcement processes before allowing consumers to purchase drones. One could argue that limits also apply. Consumers cannot buy an M1A2 Abrahms battle tank or a howitzer cannon. Maybe consumers should not be able to buy drones until effective enforcement and safety processes are in place first. Last year, a person installed and fired a handgun on his drone.

If this bothers you (and I sincerely hope that it does), tell your elected officials. What are your opinions of drones safety?


Boston Mayor Announced Verizon Partnership And Fiber High-Speed Internet Expansion Across City

Verizon logo During a Boston City Council meeting in October 2015, Verizon representatives firmly stated the company's disinterest in expanding its FiOS fiber-based high-speed Internet services throughout the city. That position resulted in a lack of broadband Internet competition, with Comcast often the only service available in teh city. (The FCC increased the minimum broadband speed, so DSL services no longer qualify.) I was pleasantly surprised when Boston Mayor Marty Walsh announced on Tuesday:

"... a new partnership with Verizon to make Boston one of the most technologically advanced cities in the country by replacing its copper-based infrastructure with a state-of-the-art fiber-optic network platform across the city. The new network will offer enormous bandwidth and speeds. Through an investment of more than $300 million from Verizon over six years, this change will bring increased competition and choice for broadband and entertainment services in Boston..."

This is welcome news. Other Internet Service Providers (ISPs) offer slower speeds and charge high prices for those slower speeds. This worldwide study found that municipal broadband networks provide consumers with the best value (e.g., highest speeds at the lowest prices via wired lines). Thankfully, Massachusetts is not one of the 19 states with laws that prevent local towns and cities from forming their own municipal broadband networks. Consumers everywhere need choice and more competition.

Verizon fiber broadband construction in Boston will start:

"... in Dorchester, West Roxbury and the Dudley Square neighborhood of Roxbury in 2016, followed by Hyde Park, Mattapan, and other areas of Roxbury and Jamaica Plain. The city has also agreed to provide an expedited permitting process to encourage this build... As a next step, the city will begin the cable television licensing process. Upon successful completion of the licensing process, Verizon expects to offer FiOS TV service in Boston... Verizon kicked off the new collaboration by presenting a $100,000 Digital Equity contribution to the city, which will be used to support a mobile hotspot lending program at the Boston Public Library."

The partnership will measure demand from residents and businesses, and prioritize construction, using the www.verizon.com/BostonFiber website. Residents and businesses should visit the site and vote (for free) to ensure that their neighborhood gets fiber broadband first.

The partnership also includes the installation of Internet-connected devices in public areas, which is one portion of the Internet-ofThings (ioT):

"... an innovative "Smart Cities" trial that will address traffic safety and congestion along the Massachusetts Avenue Vision Zero Priority Corridor. The city and Verizon will experiment with sensors and advanced traffic signal control technology to increase safety, measure bicycle traffic, improve public transit vehicle flow, and decrease congestion. Future "Smart Cities" applications will address other key services, including environmental sensors, energy efficiency, and city lighting management."

As the projects move forward, it will be interesting to learn about what data will be collected by ioT devices and data-sharing agreements. Details matter. Verizon also announced:

"This partnership will also improve wireless services in Boston by enabling Verizon to attach wireless equipment to city street lights and utility poles, helping residents get fast, reliable mobile service."

Fiber broadband availability is good news. I visited the Boston Fiber website and voted. The site asks for your full name, email, and mobile phone number to provide availability updates. The site confirmed that I live in the area the partnership considers Zone A: the first area to get Verizon FiOS.

With all of this good news, sadly it seems to already be two steps forward and one step backward. Verizon has failed to reach agreement with its workers' unions, who went on strike yesterday. CNN reported:

"Most of the striking workers service the company's landline phone business and FiOS broadband network -- not the much larger Verizon Wireless network. They have gone without a contract since August, and their union, the Communication Workers of America, says it is fighting to get Verizon to come to the table with a better offer. The union's list of complaints is a long one: Verizon has outsourced 5,000 jobs to workers in Mexico, the Philippines and the Dominican Republic. Verizon is hiring more low-wage, non-union contractors... The union also claims Verizon won't negotiate with people who work in Verizon stores and is closing call centers. And Verizon is asking workers to work out of state, away from their homes, for months at a time. Meanwhile, the union says Verizon is cutting costs as its profits have soared."

I am sure that many residents and businesses want to order Verizon FiOS fiber broadband, and have it installed by fully trained and experienced technicians, not hastily gathered replacements.

After I voted, the Verizon website presented the image below with relative vote counts for Boston fiber:

Verizon FiOS fiber broadband Internet for Boston. Relative vote counts by neighborhoods. Click to view larger image


Report: Lawsuits Resulting From Corporate Data Breaches

Chart 1: Bryan Cave LLP: 2016 Breach Litigation Report. Click to view larger version

This week, the law firm of Bryan Cave LLP released its annual review of litigation related to data breaches. 83 cases were filed, representing a 25 percent decline compared to the prior year. Other Key findings from the 2016 report:

"Approximately 5% of publicly reported data breaches led to class action litigation. The conversion rate has remained relatively consistent as compared to prior years... When multiple filings against single defendants are removed, there were only 21 unique defendants during the Period. This indicates a continuation of the “lightning rod” effect noted in the 2015 Report, wherein plaintiffs’ attorneys are filing multiple cases against companies connected to the largest and most publicized breaches, and are not filing cases against the vast majority of other companies that experience data breaches..."

Slightly more than half (51 percent) of all cases were national. The most popular locations were lawsuits were filed included the Northern District of Georgia, the Central District of California, the Northern District of California, and the Northern District of Illinois. However:

"Choice of forum, however, continues to be primarily motivated by the states in which the company-victims of data breaches are based."

Charges of negligence were cited in 75 percent of lawsuits. Which industry were frequently sued and which weren't:

"... the medical industry was disproportionately targeted by the plaintiffs’ bar. While only 24% of publicly reported breaches related to the medical industry, nearly 33% of data breach class actions targeted medical or insurance providers. The overweighting of the medical industry was due, however, to multiple lawsuits filed in connection with two large scale breaches... There was a 76% decline in the percentage of class actions involving the breach of credit cards... The decline most likely reflects a reduction in the quantity of high profile credit card breaches, difficulties by plaintiffs’ attorneys to prove economic harm following such breaches, and relatively small awards and settlements.."

57 percent of cases included sensitive personal information (e.g., Social Security numbers), 23 percent of cases included debit/credit card information, and 18 percent of cases included credit reports. The law firm reviewed lawsuits occurring during a 15-month period ending in December, 2015. Data sources included Westlaw Pleadings, Westlaw Dockets, and PACER databases.

Historically, some lawsuits by consumers haven't succeeded when courts have dismissed cases because plaintiffs weren't able to prove injuries. According to the Financial Times:

"However, decisions from a number of high-profile cases are likely to make it easier for consumers to bring suits against companies in the event of a data breach... For example, in July 2015, the Seventh US Circuit Court of Appeals, overturning a previous judgment, ruled that customers of Neiman marcus could potentially sue the retailer because they were at substantial risk of identity theft or becoming victims of fraud..."

Learn more about the Neiman Marcus class-action. Criminals hack corporate databases specifically to reuse (or resell) victims' stolen sensitive personal and payment information to obtain fraudulent credit, drain bank accounts, and/or hack online accounts -- injuries which often don't happen immediately after the breach. That's what identity thieves do. Hopefully, courts will take a broader, more enlightened view.

I look forward to reading future reports which discuss drivers' licenses data and children's online privacy, and the Internet of Things (ioT). View the "2016 Data Breach Litigation Report" by Bryan Cave LLP. Below is another chart from the report.

Chart 2: Bryan Cave LLP: 2016 Breach Litigation Report. Click to view larger version


Goldman Sachs Bank To Pay $5 Billion To Settle Charges About Mortgage Abuses

Department of Justice logo The U.S. Justice Department announced on Monday a $5.06 billion settlement agreement with Goldman Sachs for the bank's conduct with packaging, marketing, and sales of mortgage-backed securities (RMBS) between 2005 and 2007. Terms of the agreement require the bank to:

  • Pay $2.385 billion in a civil penalty under the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA),
  • Pay $875 million to resolve claims by other federal and state entities. This includes $575 million to the National Credit Union Administration, $37.5 million to the Federal Home Loan Bank of Des Moines (as successor to the Federal Home Loan Bank of Seattle), $37.5 million to the Federal Home Loan Bank of Chicago, $190 million to the state of New York, $25 million to the state of Illinois, and $10 million to the state of California. And,
  • Provide $1.8 billion in other relief for underwater homeowners, distressed borrowers, and affected communities. Some of that relief includes loan forgiveness and financing for affordable housing.

The announcement described activities by specific departments in the bank:

"Goldman’s Mortgage Capital Committee, which included senior mortgage department personnel and employees from Goldman’s credit and legal departments, was required to approve every RMBS issued by Goldman.  Goldman has now acknowledged that “[t]he Mortgage Capital Committee typically received . . . summaries of Goldman’s due diligence results for certain of the loan pools backing the securitization,” but that “[d]espite the high numbers of loans that Goldman had dropped from the loan pools, the Mortgage Capital Committee approved every RMBS that was presented to it between December 2005 and 2007.”  As one example, in early 2007, Goldman approved and issued a subprime RMBS backed by loans originated by New Century Mortgage Corporation, after Goldman’s due diligence process found that one of the loan pools to be securitized included loans originated with “[e]xtremely aggressive underwriting,” and where Goldman dropped 25 percent of the loans from the due diligence sample on that pool without reviewing the unsampled 70 percent of the pool to determine whether those loans had similar problems."

U.S. Attorney Benjamin B. Wagner of the Eastern District of California described the settlement agreement:

“Today’s settlement is yet another acknowledgment by one of our leading financial institutions that it did not live up to the representations it made to investors about the products it was selling... Goldman’s conduct in exploiting the RMBS market contributed to an international financial crisis that people across the country, including many in the Eastern District of California, continue to struggle to recover from. I am gratified that this office has developed investigations, first against JPMorgan Chase and now against Goldman Sachs, that have led to significant civil settlements that hold bad actors in this market accountable. The results obtained by this office and other members of the RMBS Working Group continue to send a message to Wall Street that we remain committed to pursuing those responsible for the financial crisis.”

The Working Group was formed in 2012, and Goldman is the last of the banks to reach at settlement. Prior RMBS settlement agreements included $16.65 billion with Bank of America, $13 billion with JPMorgan, $7 billion with Citibank, and $1 billion with SunTrust. Yes, there have been so many it can be confusing or difficult to keep track.

The settlement agreement has already received much criticism. The New York Times reported:

“They appear to have grossly inflated the settlement amount for P.R. purposes to mislead the public, while in the fine print, enabling Goldman Sachs to pay 50 to 75 percent less,” said Dennis Kelleher, the founder of the advocacy organization Better Markets, referring to the government announcement. “The problem all along, with all of these settlements — and this one highlights it even more — is that they are carefully crafted more to conceal than reveal to the American public what really happened here — and what the so-called penalty is.”

And:

"... Goldman bought loans issued by subprime mortgage specialists like Countrywide Financial. Goldman then packaged these loans into bonds that were able to get the highest rating from credit rating agencies. The loans were sold to investors, who sustained losses when the loans went sour. Over the course of 2006, Goldman employees took note of the decreasing quality of loans that it was buying... When an outside analyst wrote a positive report about Countrywide’s stock in April 2006, the head of due diligence at Goldman wrote in an email: “If they only knew.”Despite the worrying signs, Goldman did not alert investors who were buying the bonds it was packaging..."

Also, Goldman Sachs will receive credits that reduce the total amount of taxes the bank will pay:

"... any money that Goldman spends on consumer relief will be deductible from its corporate tax bill. If Goldman spends $2.5 billion on consumer relief, and pays the maximum United States corporate tax rate of 35 percent, it could, in theory, reap $875 million in tax savings. But Goldman could easily pay less than $2.5 billion in consumer relief because of the sections of the settlement that give it extra credit for certain types of activity."

This means that taxpayers effectively pay for part of the fine or penalty payment. That is nuts, since taxpayers did nothing wrong. The bank did. Unfortunately, we've seen tax-deductible portions before with multi-billion- dollar bank settlement agreements. The Justice Department comment about "pursuing those responsible" seems directed at companies and never at individuals. Nobody has gone to jail, even after reports last year about possible criminal charges against bank executives.

It seems that the threat of criminal charges is a "stick" or feeble attempt the Justice Department uses during settlement negotiations. The Justice Department announcement also stated:

"The settlement expressly preserves the government’s ability to bring criminal charges against Goldman, and does not release any individuals from potential criminal or civil liability."

Enough words. We taxpayers demand action. Many consumers lost homes and others had lives disrupted during and after the financial meltdown of 2007-08, fueled largely by banks' wrongdoing. The settlement agreements haven't been only about mortgage abuses. Several banks paid billions in fines to settle foreign exchange market abuses, and unlawful foreclosures on homeowners. Add to this: a 2012 survey found many bank executives view unethical or illegal behavior as necessary to advance. A 2013 survey of bank executives found two key results: a) bad actors don't act alone nor unseen, and b) junior executives were more likely than older executives to know about, accept, and participate in illegal and/or unethical activities.

The long list of multi-billion settlements suggest the industry is unable (or unwilling) to fix its ethics problem. Those junior executives are now several years older, more experienced, and probably in managerial positions. When for criminal prosecutions of bank executives?


FCC Proposed New Privacy Rules To Help Consumers With Broadband Internet Services

Federal Communications Commission logo Earlier this month, the U.S. Federal Communications Commission (FCC) proposed new privacy rules to help consumers when subscribing to high-speed Internet services. The rules clarify when Internet Service providers (ISPs) must obtain the consumer's approval. A summary:

"Consent Inherent in Customer Decision to Purchase ISP’s Services: Customer data necessary to provide broadband services and for marketing the type of broadband service purchased by a customer – and for certain other purposes consistent with customer expectations, such as contacting public safety – would require no additional customer consent beyond the creation of the customer-ISP relationship.

Opt-out: Broadband providers would be allowed to use customer data for the purposes of marketing other communications-related services and to share customer data with their affiliates that provide communications-related services for the purposes of marketing such services unless the customer affirmatively opts out.

Opt-in: All other uses and sharing of consumer data would require express, affirmative “opt-in” consent from customers."

Additional rules require ISPs to clearly provide notices, opt-in mechanisms, and opt-out mechanisms:

"Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about what information they collect, use and share with third parties, and how customers can change their privacy preferences;

Robust and flexible data security requirements for broadband providers that include requirements to adopt risk management practices; institute personnel training practices; implement strong customer authentication requirements; identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties;

Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information."

The Notice of Proposed Rulemaking (NPRM - Adobe format) contains the detailed statements. (The document is also available here.) Privacy is critical, since broadband Internet access is critical to do anything today. In January, 50 consumer and privacy groups urged the FCC to tighten broadband privacy rules for ISPs. In March, the FCC released a broadband privacy Fact Sheet, which stated in part:

"Telephone networks have had clear, enforceable privacy rules for decades, but broadband networks currently do not... An ISP handles all of its customers’ network traffic, which means it has an unobstructed view of all of their unencrypted online activity – the websites they visit, the applications they use. If customers have a mobile device, their provider can track their physical and online activities throughout the day in real time. Even when data is encrypted, broadband providers can still see the websites that a customer visits, how often they visit them, and the amount of time they spend on each website. Using this information, ISPs can piece together enormous amounts of information about their customers – including private information such as a chronic medical condition or financial problems. A consumer’s relationship with her ISP is very different than the one she has with a website or app. Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee."

You don't need to look far to find abuses and questionable customer service historically by ISPs. This blog has covered many of those abuses:

Historically, ISPs have sought increased revenues and viewed targeted (behavioral) advertising as the means. To do this, they partnered with several technology companies (some went out of business after class-action lawsuits) to spy on consumers without notice, without consent, and without providing opt-out  mechanisms. Consumers should control their privacy, not ISPs.

These proposed rules seem reasonable and common-sense. Consumers should be able to register for (e.g., opt-in) for additional desired programs and unsubscribe (e.g., opt-out) of undesired programs offered by their ISP.

Like any newly proposed rules, there is a comment period where the FCC seeks feedback from both consumers and companies. (A democracy requires participation.) If you like, or dislike, or want the proposed rules modified, then tell the FCC and explain why. The deadline for submitting feedback is May 27, 2016. Submit feedback online at the FCC website. The site lists several open proceedings for comments, so use Docket Number 16-106: "Protecting the Privacy of Customers of Broadband and Other Telecommunications Services."


FBI Bought Tool To Hack San Bernardino Attacker's iPhone. Plans Brooklyn Court Action To Force Apple To Unlock iPhone

Federal Bureau of Investigation logo A previous blog post discussed the assistance the U.S. Federal Bureau of Investigation (FBI) has received from an undisclosed company after abandoning its lawsuit against Apple, Inc. regarding the San Bernardino attackers. There have been two important developments this week.

First, CNN reported on Thursday about the hacking method:

"FBI Director James Comey said Wednesday that the government had purchased "a tool" from a private party in order to unlock the iPhone used by one of the San Bernardino shooters... FBI Director James Comey said Wednesday that the government had purchased "a tool" from a private party in order to unlock the iPhone used by one of the San Bernardino shooters."

FBI Director James Comey did not disclose the name of the tool nor the company's name. The CNN news story also discussed whether or not the government will inform Apple about the hacking method:

"Comey said the government was currently considering whether to tell Apple how it pulled off the hack. "We tell Apple, then they're going to fix it, then we're back where we started from," he said. "We may end up there, we just haven't decided yet."

Second, NBC News reported today that the government plans legal action in Brooklyn to force Apple to unlock an iPhone:

"The Justice Department notified a federal judge Friday that it intends to pursue a lawsuit in Brooklyn against Apple, seeking to force the company to open the iPhone of a convicted New York drug dealer. In February, the judge denied the FBI's request to force Apple to open the New York phone, but the Justice Department appealed that ruling... The method a third party provided to open the San Bernardino phone won't work on the Brooklyn phone, federal officials said. "

So the legal fight will continue to force a tech company to build "back door" software into its product. Three things seem clear: a) the FBI wants an updated legal precedent (rather than a 227-year-old law) to force any tech company to build "back door" software into its products and services; b) the FBI believes that it has a stronger case in Brooklyn. Having hacked an iPhone in California, it can argue with more credibility in court why it needs Apple's help in Brooklyn; and c) if successful in court in Brooklyn, the FBI gets investigative tools for free rather than having to pay.

Obviously, news about this story will continue to break. There is so much unknown and undisclosed.


Report: Significant Security Risks With Healthcare And Financial Services Mobile Apps

Arxan Technologies logo Arxan Technologies recently released its fifth annual report about the state of application security. This latest report also highlighted some differences between how information technology (I.T.) professionals and consumers view the security of healthcare and financial services mobile apps. Overall, Arxan found critical vulnerabilities:

"84 percent of the US FDA-approved apps tested did not adequately address at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks. Similarly, 80 percent of the apps tested that were formerly approved by the UK National Health Service (NHS) did not adequately address at least two of the OWASP Mobile Top 10 Risks... 95 percent of the FDA-approved apps, and 100 percent of the apps formerly approved by the NHS, lacked binary protection, which could result in privacy violations, theft of personal health information, and tampering... 100 percent of the mobile finance apps tested, which are commonly used for mobile banking and for electronic payments, were shown to be susceptible to code tampering and reverse-engineering..."

Some background about the U.S. Food and Drug Administration (FDA). The FDA revised its guidelines for mobile medical apps in September, 2015. The top of that document clearly stated, "Contains Nonbinding Regulations." The document also explained which apps the FDA regulates (link added):

"Many mobile apps are not medical devices (meaning such mobile apps do not meet the definition of a device under section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act)), and FDA does not regulate them. Some mobile apps may meet the definition of a medical device but because they pose a lower risk to the public, FDA intends to exercise enforcement discretion over these devices (meaning it will not enforce requirements under the FD&C Act). The majority of mobile apps on the market at this time fit into these two categories. Consistent with the FDA’s existing oversight approach that considers functionality rather than platform, the FDA intends to apply its regulatory oversight to only those mobile apps that are medical devices and whose functionality could pose a risk to a patient’s safety if the mobile app were to not function as intended. This subset of mobile apps the FDA refers to as mobile medical apps."

The Arxan report found that consumers are concerned about app mobile security:

80 percent of mobile app users would change providers if they knew the apps they were using were not secure. 82 percent would change providers if they knew alternative apps offered by similar service providers were more secure."

Arxan commissioned a a third party which surveyed 1,083 persons in the United States, United Kingdom, Germany, and Japan during November, 2015. 268 survey participants were I.T. professionals and 815 participants were consumers. Also, Arxan hired Mi3 to test mobile apps during October and November, 2015. Those tests included 126 health and financial mobile apps covering both the Apple iOS and Android platforms, 19 mobile health apps approved by the FDA, and 15 mobile health apps approved3 by the UK NHS.

One difference in app security perceptions between the two groups: 82 percent of I.T. professionals believe "everything is being done to protect my apps" while only 57 percent of consumers hold that belief. To maintain privacy and protect sensitive personal information, Arxan advises consumers to:

  1. Buy apps only from reputable app stores,
  2. Don't "jail break" your mobile devices, and
  3. Demand that app developers disclose upfront the security methods and features in their apps.

The infographic below presents more results from the consolidated report. Three reports by Arxan Technologies are available: consolidated, healthcare, and financial services.

Arxan Technologies. 5th Annual State of App Security infographic
Infographic reprinted with permission.


Tax Related Identity Theft And Fraud: Next Steps For Victims

This morning, a friend sent the following via e-mail:

"Just learned today that I was a victim of identity theft. My accountant tried to electronically file my income tax but it was rejected. The IRS told him I already filed. Since the early return is obviously fraudulent I was told I could not electronically file but had to file with paper. Spent the last couple hours notifying credit bureaus and the Federal Trade Commission. It doesn't appear they have applied for any new credit card yet. I wonder whether they got a refund in my name. I also have been involved in a couple big data breaches where the company who lost my data has provided free credit monitoring services. None of the services have detected fraudulent activities. It must've been through one of these that someone got hold my Social Security number. So far so good, but this is an extra headache I didn't need."

It was sad to read this e-mail message. Identity theft is always a major pain and inconvenience. I experienced this in 2007 after IBM, Inc. had its massive data breach. There's a lot to consider and to do. Most consumers have no idea what to do next. That’s why I started me blogging about identity theft, data breaches, and corporate responsibility. The blog has been a good tool for me to catalog what I've learned about what to do next.

Since my friend's sensitive information (e.g., name, address, phone, social number, and maybe more) are out in the wild, that means thieves will sell and resell it as long as they think the information is usable. The criminals now know enough about my friend that they will try to commit more fraud -- often by impersonating my friend to gain access to their financial accounts. Thieves may call the customer service departments at banks pretending to be my friend. While writing this blog the last 8+ years, I've learned that identity thieves are smart, persistent, and go where the money is.

I suggested that my friend do the following to protect their self:

  1. It seemed like my friend is already following the advice by Internet Revenue Service (IRS) for victims of tax-related identity theft and fraud. That’s a good start. Another good place to start is the Identify Theft site by the U.S. Federal Trade Commission (FTC). Follow the next steps recommended by the FTC.
  2. File a police report with the local police department. They’ll probably do nothing, but this will help my friend create a paper trail. Certain documents will be needed when filing claims with insurance companies.
  3. While my friend has already contacted the three major credit reporting agencies (TransUnion, Experian, and Equifax), don't stop with a Fraud Alert. That’s weak tea. Do a Security Freeze instead. That will prevent fraudsters from taking out new loans or getting credit in my friend's name. This will cost up to $10 for each.
  4. Call financial institutions and advise them of your identity theft. Follow any processes the banks have. Get new debit/credit card numbers if your card information (card name, account number, security code, etc.) was exposed in #6.
  5. Change online passwords for all financial accounts (e.g., checking, savings, mortgages, insurance, credit cards, 401-K, IRA’s, etc.). Notify them that your data has been stolen and used. Follow any procedures the banks have for reporting fraud. Don’t use the same password at multiple sites. Why? Thieves will use a stolen password at several websites, to see where else they can break in.
  6. Since one or more companies had data breaches that exposed my friend's sensitive information, my friend should notify each company that thieves have used their sensitive information for tax-related fraud. These companies will probably deny that their breach was the cause, but my friend is informing them of the consequences. If the breach was bad, there may be an upcoming class action, so I encouraged my friend to consider and join any class-action lawsuits. The financial rewards may be beneficial.
  7. Thieves will continue to use my friend's stolen information as long as they think it is useful. So, my friend will need to be vigilant. That means continuing to periodically monitor bank account statements and credit reports for fraudulent entries (if my uses only the Fraud Alert option). This sucks, but that is the reality in the digital information economy. When companies have data breaches, we consumers are usually left with the cleanup burden.
  8. If the companies in #6 offer free credit monitoring services, accept the offer and use it. Those monitoring services can help with #7. Plus, these monitoring services usually offer fraud resolution services: the detailed, time-consuming, and complicated process of cleaning up accounts and records muddled by thieves. If the corporate data breaches in #6 included my friend's spouse and/or dependents, be sure that any credit monitoring services cover these persons.
  9. Keep a solid paper trail. My friend will likely need some of this documentation later.
  10. Stay in touch with both the IRS and the Department of Revenue in the state where you live. The thieves may file fraudulent state tax returns, too. Both the federal and my friend's state tax agencies have fraud procedures. Respond to any notifications you receive from both; preferably in writing.
  11. If any of the companies in #6 was a health care provider and the breach included medical records, then my friend is at risk for both financial fraud and medical fraud. More steps apply for medical fraud and the resolution process is even more complicated. For example, the thief's blood type and other health data could be co-mingled with the victim's, introducing errors and other risks.
  12. Some criminals use stolen identity information to get bogus driver’s licenses. If my friend gets stopped by the police while driving, don’t panic. Explain to law enforcement the identity theft and and #2. My friend may have to get fingerprinted, since that is a good method to distinguish the fraudster from my friend.
  13. Some criminals sell stolen information to undocumented people to gain employment. So, my friend's stolen Social Security Number may be used by another person. When several persons use the same Social Security number for employment, there are plenty of consequences. (There's the infamous case of 81 persons using the same SSN.) The Identity Theft Resource Center recommends solutions for SSN fraud victims. See the Social Security Administration's process for reporting fraud. Check the contractual agreement for a credit monitoring service to see if its resolution services cover this.
  14. Keep the anti-virus software updated on all devices (e.g., desktop, laptop, phone, tablet) and run scans at least once monthly.

That was my advice to my friend. What might you advise?


Facts About Debt Collection Scams And Other Consumer Complaints

Logo for Consumer Financial Protection Bureau The Consumer Financial Protection Bureau (CFPB) recently released a report about debt collection scams. The report is based upon more than 834,00 complaints filed by consumers nationally with the CFPB about financial products and services: checking and savings accounts, mortgages, credit cards, prepaid cards, consumer loans, student loans, money transfers, payday loans, debt settlement, credit repair, and credit reports. Complaints about debt collection scams accounted for 26 percent of all complaints.

The most frequent scam are attempts to collect money from consumers for debts they don't owe. This accounted for 38 percent of all debt-collection-scam complaints submitted. This included harassment:

"Consumers complained about receiving multiple calls weekly and sometimes daily from debt collectors. Consumers often complained that the collector continued to call even after being repeatedly told that the alleged debtor could not be contacted at the dialed number. Consumers also complained about debt collectors calling their places of employment... Consumers complained that they were not given enough information to verify whether or not they owed the debt that someone was attempting to collect. "

The two companies with the most complaints:

"... were Encore Capital Group and Portfolio Recovery Associates, Inc. Both companies, which are among the largest debt buyers in the country, averaged over 100 complaints submitted to the Bureau each month between October and December 2015. In 2015, the CFPB took enforcement actions against these two large debt buyers for using deceptive tactics to collect bad debts."

Compared to a year ago, debt collection complaints increased the most in Indiana (38 percent), Arizona (27 percent), and New Hampshire (26 percent) during December 2015 through February 2016. Debt collection complaints decreased the most in Maine (-34 percent), Wyoming (-26 percent), and North Dakota (-23 percent). And:

"Of the five most populated states, California (10 percent) experienced the greatest percentage increase and Illinois (-4 percent) experienced the greatest percentage decrease in debt collection complaints..."

The report lists 20 companies with the most debt-collection complaints during October through December 2015. The top five companies with with average monthly complaints about debt collection are Encore Capital Group (139.3), Portfolio Recovery Associates, Inc. (112.3), Enhanced recovery Company, LLC (65.7), Transworld Systems Inc. (63.7), and Citibank (54.7). This top-20 list also includes several banks: Synchrony Bank, Capital One, JPMorgan Chase, Bank of America, and Wells Fargo.

While the March Monthly Complaint Report by the CFPB focused upon debt collection complaints, it also provides plenty of detailed information about all categories of complaints. From December 2015 through February 2016, the CFPB received on average every month about 6,856 debt collection complaints, 4,211 mortgage complaints, 3,556 credit reporting complaints, 2,021 complaints about bank accounts or services, and 1,995 complaints about credit cards. Most categories showed increased complaint volumes compared to the same period a year ago. Only two categories showed a decline in average monthly complaints: credit reporting and payday loans. Debt collection complaints were up 6 percent.

Compared to a year ago, average monthly complaint volume (all categories) increased in 40 states and decreased in 11 states. The top five states with the largest increases (all categories) included Connecticut (31 percent), Kansas (30 percent), Georgia (25 percent), Louisiana (25 percent), and Indiana (24 percent). The top five states with the largest decreases (all categories) included Hawaii (-25 percent), Maine (-19 percent), South Dakota (-14 percent), District of Columbia (-8 percent), and Idaho (-6 percent). Also:

"Of the five most populated states, New York (12 percent) experienced the greatest complaint volume percentage increase, and Texas (-8 percent) experienced the greatest complaint volume percentage decrease from December 2014 to February 2015 to December 2015 to February 2016."

The chart below lists the 10 companies with the most complaints (all categories) during October through December, 2015:

Companies with the most complaints. CFPB March 2016 Monthly Complaints Report. Click to view larger image

The "Other" category includes consumer loans, student loans, prepaid cards, payday loans, prepaid cards, money transfers, and more. During this three-month period, complaints about these companies totaled 46 percent of all complaints. Consumers submit complaints about the national big banks covering several categories. According to the CFPB March complaints report (links added):

"By average monthly complaint volume, Equifax (988), Experian (841), and TransUnion (810) were the most-complained-about companies for October - December 2015. Equifax experienced the greatest percentage increase in average monthly complaint volume (32 percent)... Ocwen experienced the greatest percentage decrease in average monthly complaint volume (-18 percent)... Empowerment Ventures (parent company of RushCard) debuted as the 10th most-complained-about company..."

To learn more about the CFPB, there are plenty of posts in this blog. Simply enter "CFPB" in the search box in the right column.