1,204 posts categorized "Corporate Responsibility" Feed

New York State Strengthens Its Data Breach Laws

To help its residents, the State of New York has improved its existing data breach law. Governor Andrew Cuomo signed two bills on July 25th:

"The Governor signed the Stop Hacks and Improve Electronic Data Security - or SHIELD - Act (S.5575B/A.5635), which imposes stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach. The Governor also signed legislation (A.2374/S.3582) requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency's system."

The Governor's announcement emphasized the importance of the state's laws keeping pace with rapid advances in technology. To address new technologies, the SHIELD Act will provide stronger protections by:

"1) Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers; 2) Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information; 3) Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State; 4) Expanding the definition of a data breach to include unauthorized access to private information; and 5) Creating reasonable data security requirements tailored to the size of a business."

The full text of the SHIELD Act legislation is available here. The SHIELD Act will go into effect on March 21, 2020. The announcement also mentioned Equifax:

"In late July 2017, one of the three main credit reporting agencies, Equifax Inc., experienced a major data breach involving personal information, including social security numbers... the company's response was insufficient and it is unacceptable that consumers were left to bear the burden to protect their own identities even though their information was stolen at no fault of their own. On July 22, 2019, Governor Cuomo, the State Department of Financial Services and State Attorney General James announced a $19.2 million settlement with Equifax over the data breach. As part of that settlement, Equifax agreed to provide New York consumers with credit monitoring services and free annual credit reports, and the company will pay restitution to consumers affected by the breach..."

So, it seems that Equifax's breach and data security failures factored into the new legislation. The announcement also explained the new Identity Theft Prevention and Mitigation Services (A.2374/S.3582) legislation:

This legislation establishes the minimal amount of long-term protections to consumers who are affected by a data breach from a credit reporting agency. It requires credit reporting agency that suffers a breach of information containing consumer social security numbers to provide five-year identity theft prevention services, and if applicable, identity theft mitigation services to affected customers. Additionally, the legislation requires credit reporting agencies to inform consumers on credit freezes of a breach of data involving a social security number, and provides consumers with the right to freeze their credit at no cost. The bill... applies to any breach of the security of a consumer credit reporting agency that occurred no more than three years prior to the effective date of this act."

The A.2374/S.3582 bill will go into effect on September 23, 2019. The retroactive coverage of three years is good as it ensures credit reporting agencies with recent data breaches cannot escape responsibility.

Consumer reporting agencies enjoy a unique position as consumers cannot opt out of having their credit reports covered by Experian, Equifax, and TransUnion. Some people would call that corporate welfare. It would be great if consumers had the right to remove their credit reports from credit reporting agencies that practice poor data security with repeated data breaches. Consumers have that right with retail stores -- you can stop shopping at stores with poor data security and multiple data breaches.

In related news, JD Supra reported about proposed legislation:

"... New York City lawmakers have proposed a bill that would make it unlawful for a mobile app developer or telecommunications carrier to share a customer’s location data without an authorized purpose if the data was collected from the customer’s device within the city. The bill broadly defines the term “share” as making “location data available to another person, whether for a fee or otherwise,” suggesting that selling information is unlawful without an authorized purpose such as customer consent. The bill allows for a private right of action, including penalties for violations of $1,000 per violation, with a maximum penalty of $10,000 per day per person whose location data was unlawfully shared, as well as attorney’s fees."

To learn more, read about new data breach legislation in other states this year.


What Can Be Done Right Now to Stop a Basic Source of Health Care Fraud

[Editor's note: today's post, by reporters at ProPublica, discusses fixes for the security issues discussed in a prior post. It is reprinted with permission.]

By Marshall Allen, ProPublica

In our story about the convicted health care con man David Williams, we detailed how the Texas personal trainer made off with millions by billing some of the nation’s largest health insurers as if he were a doctor providing medical services.

Williams cannily exploited gaping loopholes in the health insurance system that allowed him almost unfettered entry. Taking commonsense steps to close those loopholes, experts say, could block other fraudsters from entry.

1. No one checks to see whether people getting federal ID numbers that allow them to bill insurers have valid licenses. They could.

Anyone billing an insurance company needs a National Provider Identifier, or NPI number. The number is obtained through Medicare, a federal agency that covers people over 65 as well as those with disabilities. But Medicare doesn’t verify that NPI applicants who claim to be licensed are, indeed, licensed by their state’s regulators. The agency could do a license check in less than a minute online or in milliseconds if the process is automated.

Medicare said federal regulations do not allow it to verify NPI applicants’ credentials, so the Department of Health and Human Services might need to revise the regulations. Congress could also order the reform.

2. Insurance companies don’t always verify that the people they are paying are licensed medical providers. They could.

Williams avoided scrutiny from insurers by billing as an out-of-network provider, so he didn’t have a contract with them and didn’t have his credentials verified before receiving payments. At Williams’ trial on federal fraud charges, representatives from the insurance companies testified that it’s not cost effective to review every claim. Almost all are automatically paid.

At a minimum, insurers could ensure that anyone billing them has the proper licensing before a payment is made. Again, this screening would take seconds or less.

Regulators could also require that insurers verify the licenses of those they pay. Some experts say it may take state and federal legislation to mandate it. Officials from America’s Health Insurance Plans, the trade group for the insurers, declined to comment on this suggestion.

3. Insurance companies aren’t reporting most cases of suspected fraud to state and federal regulators. They could.

Many states have a law in place that requires insurers to report suspected cases of fraud to state regulators. This allows regulators to spot serial fraudsters and trends, and it helps officials build criminal and civil cases. But the states have a mishmash of requirements, and many don’t do audits to make sure cases are being reported.

At least three insurance companies caught Williams committing fraud. But the Texas Department of Insurance only received one referral about the case, according to internal documents. If all three insurers that Williams defrauded had referred him, his case could have been prioritized and stopped sooner.

The existing state laws don’t apply to self-funded plans where employers pay for the health benefits. Those are overseen by the federal government. And no federal law requires insurers who administer self-funded plans to report suspected cases of fraud.

State and federal laws would need to be changed to require the consistent reporting of suspected fraud. Experts say audits, and the potential for fines, may also be needed to spur the insurers to file the reports.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


Emotion Recognition: Facial Recognition Software Based Upon Valid Science or Malarkey?

The American Civil Liberties Union (ACLU) reported:

"Emotion recognition is a hot new area, with numerous companies peddling products that claim to be able to read people’s internal emotional states, and artificial intelligence (A.I.) researchers looking to improve computers’ ability to do so. This is done through voice analysis, body language analysis, gait analysis, eye tracking, and remote measurement of physiological signs like pulse and breathing rates. Most of all, though, it’s done through analysis of facial expressions.

A new study, however, strongly suggests that these products are built on a bed of intellectual quicksand... after reviewing over 1,000 scientific papers in the psychological literature, these experts came to a unanimous conclusion: there is no scientific support for the common assumption “that a person’s emotional state can be readily inferred from his or her facial movements.” The scientists conclude that there are three specific misunderstandings “about how emotions are expressed and perceived in facial movements.” The link between facial expressions and emotions is not reliable (i.e., the same emotions are not always expressed in the same way), specific (the same facial expressions do not reliably indicate the same emotions), or generalizable (the effects of different cultures and contexts has not been sufficiently documented)."

Another reason why this is important:

"... an entire industry of automated purported emotion-reading technologies is quickly emerging. As we wrote in our recent paper on “Robot Surveillance,” the market for emotion recognition software is forecast to reach at least $3.8 billion by 2025. Emotion recognition (aka “affect recognition” or “affective computing”) is already being incorporated into products for purposes such as marketing, robotics, driver safety, and audio “aggression detectors.”

Regular readers of this blog are familiar with aggression detectors and the variety of industries where the technology is already deployed. And, one police body-cam maker says it won't deploy facial recognition in its products due to problems with the technology.

Yes, reliability matters -- especially when used for surveillance purposes. Nobody wants law enforcement making decisions about persons based upon software built using unreliable or fake science masquerading as reliable, valid science. Nobody wants education and school officials making decisions about students using unreliable software. Nobody wants hospital administrators and physicians making decisions about patients based upon unreliable software.

What are your opinions?


White Hat Hacker: Social Media Is a 'Goldmine For Details' For Cyberattacks Targeting Companies

Many employees are their own worst enemy when they start a new job. In this Fast Company article, a white hat hacker explains the security fails by employees which compromise their employer's data security.

Stephanie “Snow” Carruthers, the chief people hacker within a group at IBM Inc., explained that hackers troll:

"... social media for photos, videos, and other clues that can help them better target your company in an attack. I know this because I’m one of them... I’m part of an elite team of hackers within IBM known as X-Force Red. Companies hire us to find gaps in their security – before the real bad guys do... Social media posts are a goldmine for details that aid in our “attacks.” What you find in the background of photos is particularly revealing... The first thing you may be surprised to know is that 75% of the time, the information I’m finding is coming from interns or new hires. Younger generations entering the workforce today have grown up on social media, and internships or new jobs are exciting updates to share. Add in the fact that companies often delay security training for new hires until weeks or months after they’ve started, and you’ve got a recipe for disaster..."

The obvious security fails include selfie photos by interns or new hires wearing their security badges, selfies showing log-in credentials on computer screens, and selfies showing passwords written on post-it notes attached to computer monitors. Less obvious security fails include group photos by interns or new hires with their work team. Group photos can help hackers identify team members to craft personalized and more effective phishing e-mails and text messages using co-workers' names, to trick recipients into opening attachments containing malware.

This highlights one business practice interns and new hires should understand. Your immediate boss or supervisor won't scour your social media accounts looking for security fails. Your employer will outsource the job to another company, which will.

If you just started a new job, don't be that clueless employee posting security fails to your social media accounts. Read and understand your employer's social media policy. If you are a manager, schedule security training for your interns and new hires ASAP.


Automated Following: The Technology For Platoons Of Self-Driving Trucks

The MediaPost Connected Thinking blog reported:

"At the Automated Vehicle Symposium in Orlando [in July], one company involved in automated vehicle technology unveiled its vision for using a single driver to drive a pair of vehicles. The approach, named Automated Following, is an advanced platooning system created by Peloton Technology. It uses vehicle-to-vehicle (V2V) technology to let a lead driver control the vehicle and one that is following, in this case large trucks... Platooning works by utilizing V2V communications and radar-based active braking systems, combined with vehicle control algorithms, according to Peloton. The system connects a fully automated follow truck with a driver-controlled lead truck. The V2V link lets the human driven lead truck guide the steering, acceleration and braking of the follow truck..."

To learn more, I visited the Peloton Technology website. The Platoon-Pro section of the site lists the benefits below:

Platooning benefits. Peloton-Pro at Peloton Technology website. July 20, 2019. Click to view larger version

While it's good to read about specific estimates of fuel savings, I was hoping to also read similar estimates about decreased crashes and/or decreased severity of crashes. The page simply listed the safety features.

The site's home page features a "Safety & Platoon" video explaining how a 2-truck platoon might operate. On an interstate highway, both trucks are manned with human drivers. (What happened to the single driver benefit?) The video also shows what happens when a passenger vehicle briefly "cuts" in between a 2-truck platoon:

According to the video, the drivers can vary the distance between two trucks in a platoon. That seems to be a good feature.

The technology raises several questions. First, the video features a "cut in" with a small car. What happens when a larger vehicle, such as a bus, cuts in? What happens when several (large) vehicles cut in between? Second, just because we humans can do something doesn't mean we should do it. 2-truck platoons in the near future could expand to 4- or 5-truck platoons after that. One wonders about the wisdom. Are highways, country roads, and city streets designed to accommodate truck platoons this large?

Third, my impression: a 2-truck platoon sounds like a short train. In the near future, motorists will have to navigate in-between and around platoons of self-driving tractor-trailer trucks. Are motorists ready for this? Historically, auto drivers have had difficulty with traditional railroad crossings. The technology seems to be something which requires plenty of testing.

Another way of asking the question: is this what we want on our streets and highways given existing railroads already designed for trains = long platoons of trucks?

Fourth, security matters. What's being done to prevent the technology being abused? Automated following technology in the hands of bad guys could enable terrorists to deliver platoons of car bombs, or platoons of small boats armed with bombs. So, security (against hacking and against theft) is even more of an issue.

What are your opinions?


Health Insurers Make It Easy for Scammers to Steal Millions. Who Pays? You.

[Editor's note: today's guest post, by reporters at ProPublica, discusses security and fraud issues within the health insurance industry. It is reprinted with permission.]

By Marshall Allen, ProPublica

Ever since her 14-year marriage imploded in financial chaos and a protective order, Amy Lankford had kept a wary eye on her ex, David Williams. Williams, then 51, with the beefy body of a former wrestler gone slightly to seed, was always working the angles, looking for shortcuts to success and mostly stumbling. During their marriage, Lankford had been forced to work overtime as a physical therapist when his personal training business couldn’t pay his share of the bills.

So, when Williams gave their three kids iPad Minis for Christmas in 2013, she was immediately suspicious. Where did he get that kind of money? Then one day on her son’s iPad, she noticed numbers next to the green iMessage icon indicating that new text messages were waiting. She clicked.

What she saw next made her heart pound. Somehow the iPad had become linked to her ex-husband’s personal Apple device and the messages were for him.

Most of the texts were from people setting up workouts through his personal training business, Get Fit With Dave, which he ran out of his home in Mansfield, Texas, a suburb of Fort Worth. But, oddly, they were also providing their birth dates and the group number of their health insurance plans. The people had health benefits administered by industry giants, including Aetna, Cigna and UnitedHealthcare. They were pleased to hear their health plans would now pay for their fitness workouts.

Lankford’s mind raced as she scrolled through the messages. It appeared her ex-husband was getting insurance companies to pay for his personal training services. But how could that be possible? Insurance companies pay for care that’s medically necessary, not sessions of dumbbell curls and lunges.

Insurance companies also only pay for care provided by licensed medical providers, like doctors or nurses. Williams called himself “Dr. Dave” because he had a Ph.D. in kinesiology. But he didn’t have a medical license. He wasn’t qualified to bill insurance companies. But, Lankford could see, he was doing it anyway.

As Lankford would learn, “Dr. Dave” had wrongfully obtained, with breathtaking ease, federal identification numbers that allowed him to fraudulently bill insurers as a physician for services to about 1,000 people. Then he battered the system with the bluntest of ploys: submit a deluge of out-of-network claims, confident that insurers would blindly approve a healthy percentage of them. Then, if the insurers did object, he gambled that they had scant appetite for a fight.

By the time the authorities stopped Williams, three years had passed since Lankford had discovered the text messages. In total, records show, he ran the scheme for more than four years, fraudulently billing several of the nation’s top insurance companies — United, Aetna and Cigna — for $25 million and reaping about $4 million in cash.

In response to inquiries, Williams sent a brief handwritten letter. He didn’t deny billing the insurers and defended his work, calling it an “unprecedented and beneficial opportunity to help many people.”

“My objective was to create a system of preventative medicine,” he wrote. Because of his work, “hundreds of patients” got off their prescription medication and avoided surgery.

There are a host of reasons health care costs are out-of-control and routinely top American’s list of financial worries, from unnecessary treatment and high prices to waste and fraud. Most people assume their insurance companies are tightly controlling their health care dollars. Insurers themselves boast of this on their websites.

In 2017, private insurance spending hit $1.2 trillion, according to the federal government, yet no one tracks how much is lost to fraud. Some investigators and health care experts estimate that fraud eats up 10% of all health care spending, and they know schemes abound.

Williams’ case highlights an unsettling reality about the nation’s health insurance system: It is surprisingly easy for fraudsters to gain entry, and it is shockingly difficult to convince insurance companies to stop them.

Williams’ spree also lays bare the financial incentives that drive the system: Rising health care costs boost insurers’ profits. Policing criminals eats away at them. Ultimately, losses are passed on to their clients through higher premiums and out-of-pocket fees or reduced coverage.

Insurance companies “are more focused on their bottom line than ferreting out bad actors,” said Michael Elliott, former lead attorney for the Medicare Fraud Strike Force in North Texas.

As Lankford looked at the iPad that day, she knew something else that made Williams’ romp through the health care system all the more surprising. The personal trainer had already done jail time for a similar crime, and Lankford’s father had uncovered the scheme.

Scanning her ex-husband’s texts, Lankford, then 47, knew just who to call. During the rocky end of her marriage, her dad had become the family watchdog. Jim Pratte has an MBA in finance and retired after a career selling computer hardware, but even the mention of Williams flushed his face red and ratcheted up his Texas twang. His former-son-in law is the reason he underwent firearms training.

Lankford lived a few minutes away from her parents in Mansfield. She brought her dad the iPad and they pored over message after message in which Williams assured clients that their insurance would cover their workouts at no cost to them.

Lankford and Pratte, then 68, were stunned at Williams’ audacity. They were sure the companies would quickly crackdown on what appeared to be a fraudulent scheme.

Especially because Williams had a criminal record.

In early 2006, while Williams and Lankford were going through their divorce, the family computer started freezing up. Lankford asked her dad to help her recover a document. Scrolling through the hard drive, Pratte came upon a folder named “Invoices,” and he suspected it had something to do with Williams.

His soon to be ex-son-in-law had had a promising start. He’d wrestled and earned bachelor’s and master’s degrees at Boise State University, and a Ph.D. at Texas A&M University, before landing a well-paying job as a community college professor in Arlington. But the glow faded when the school suddenly fired him for reasons hidden by a confidential settlement and by Williams himself, who refused to reveal them even to his wife.

Out of a job, Williams had hustled investments from their friends to convert an old Winn-Dixie grocery store into a health club called “Doc’s Gym.” The deal fell apart and everyone lost their money. The failure was written up in the local newspaper under the headline: “What’s up with Doc’s?”

Inside the “Invoices” folder, Pratte found about a dozen bills that appeared to be from a Fort Worth nonprofit organization where his daughter and Williams took their son Jake for autism treatment. As Pratte suspected, the invoices turned out to be fake. Williams had pretended to take Jake for therapy, then created the false bills so he could pocket a cash “reimbursement” from a county agency.

In November 2008, Williams pleaded guilty in Tarrant County District Court to felony theft. He was sentenced to 18 months in jail and was released on bail while he appealed.

Things took an even darker turn about two years later when Williams and Lankford’s 11-year-old son showed up to school with bruising on his face. Investigators determined that Williams had hit the boy in the face about 20 times. Williams pleaded guilty to causing bodily injury to a child, a felony, which, coupled with the bail violation, landed him in jail for about two years.

The time behind bars didn’t go to waste. Williams revised the business plan for Get Fit With Dave, concluding he needed to get access to health insurance.

Williams detailed his plans in letters to Steve Cosio, a tech-savvy friend who ran the Get Fit With Dave website in exchange for personal training sessions. Cosio, whose name later popped up on Lankford’s son’s iPad, kept the letters in their original envelopes and shared them with ProPublica. He said he never suspected Williams was doing anything illegal.

In his letters, Williams said that when he got out, instead of training clients himself, he would recruit clients and other trainers to run the sessions. “It has the potential for increased revenue.”

He asked Cosio to remove the term “personal training” from his website in another letter, adding “95 percent of my clients are paid for by insurance, which does not cover ‘personal training,’ I have to bill it as ‘therapeutic exercise.’ It is the same thing, but I have to play the insurance game … Insurance pays twice as much as cash pay so I have to go after that market.”

Williams downplayed his child abuse conviction — “I can honestly say that I am the only one in here for spanking their child” — and included a dig at his ex-father-in-law, Pratte: “an evil, evil man. He is the reason for my new accommodations.”

Williams told Cosio he needed to raise a quick $30,000 to pay an attorney to get him access to his children. “I will need to get a bunch of clients in a hurry.”

To set his plan in motion, Williams needed what is essentially the key that unlocks access to health care dollars: a National Provider Identifier, or NPI number. The ID number is little known outside the medical community but getting one through the federal government’s Medicare program is a rite of passage for medical professionals and organizations. Without it, they can’t bill insurers for their services.

One would think obtaining an NPI, with its stamp of legitimacy, would entail at least some basic vetting. But Williams discovered and exploited an astonishing loophole: Medicare doesn’t check NPI applications for accuracy — a process that should take mere minutes or, if automated, a millisecond. Instead, as one federal prosecutor later noted in court, Medicare “relies on the honesty of applicants.”

Records show Williams first applied for an NPI under his own name as far back as 2008. But it wasn’t until 2014 that Williams began to ramp up his scheme, even though now he wasn’t just unlicensed, he was a two-time felon. He got a second NPI under the company name, Kinesiology Specialists. The following year, he picked up another under Mansfield Therapy Associates. In 2016, he obtained at least 11 more, often for entities he created in the areas where he found fitness clients: Dallas, Nevada, North Texas and more. By 2017, he had 20 NPIs, each allowing him a new stream of billings.

For every NPI application, Williams also obtained a new employer identification number, which is used for tax purposes. But he never hid who he was, using his real name, address, phone number and email address on the applications. He added the title “Dr.” and listed his credentials as “PhD.” Under medical specialty he often indicated he was a “sports medicine” doctor and provided a license number, even though he wasn’t a physician and didn’t have a medical license.

Medicare officials declined to be interviewed about Williams. But in a statement, they acknowledged that the agency doesn’t verify whether an NPI applicant is a medical provider or has a criminal history. The agency claims it would need “explicit authority” from the Department of Health and Human Services to do so — and currently doesn’t have it. Regulations, and potentially the law, would need to be revised to allow the agency to vet the applications, the statement said.

Medicare does verify the credentials of physicians and other medical providers who want to bill the agency for their Medicare patients.

To those charged with rooting out fraudsters, the current regulations seem like an invitation to plunder. “Medicare has to make sure that the individuals who apply for NPIs are licensed physicians — it’s that simple,” said Elliott, the former prosecutor who ran about 100 health care fraud investigations.

Elliott, who now does white-collar criminal defense, said he knows of two other cases currently under federal investigation in which non-licensed clinic administrators lied to obtain NPI numbers, then used patients’ information to file false claims worth millions.

Medicare warns NPI applicants that submitting false information could lead to a $250,000 fine and five years in prison. But since Medicare started issuing NPIs in 2006, officials said they could not identify anyone who had been sanctioned.

So, for those bent on fraud, the first step is easy; the online approval for an NPI takes just minutes.

Williams got out of jail in November 2012 and launched an aggressive expansion with an irresistible pitch: Time to get those private personal training sessions you thought you couldn’t afford!

“Now accepting most health insurance plans,” his Get Fit With Dave website announced. He added a drop-down menu to his site, allowing potential clients to select their health insurance provider: Aetna. Blue Cross Blue Shield. United.

He began building a team, soliciting trainers from the strength and conditioning department at Texas Christian University. He met with new recruits at local fast food joints or coffee shops to set them up. To the trainers, the business appeared legit: They even signed tax forms. Before long, Williams’ network stretched throughout Texas and into Colorado, Idaho and Nevada.

One Fort Worth trainer recalled meeting Williams through one of his clients, a Southwest Airlines flight attendant. Williams, he said, seemed like a real doctor, and it wasn’t hard to imagine an insurer’s wellness program covering fitness. Plus, it was good money — about $50 an hour and Williams paid him for multiple clients at once if he did boot camps, said the trainer, who asked that his name not be used so he wouldn’t be tarnished by his association with Williams. Williams, he said, even gave him an iPad, with “Kinesiology Specialists” etched on the back, to submit bills and paid him via direct deposit.

Clients came to Williams through his business cards, his website and word-of-mouth. Williams, records show, quickly verified if their insurance companies would cover his fees — although he didn’t tell clients that those fees would be billed as medical services, not personal training. To ensure the clients paid nothing, he waived their annual deductibles — the portion patients pay each year before insurance kicks in. Authorities said Williams banked on being able to file enough claims to quickly blow through their deductibles so he could get paid.

Meredith Glavin, a flight attendant with Southwest, told the authorities she got in touch with Williams after her co-workers said insurance was covering their workouts. After providing her name, address and insurance information on the Get Fit With Dave website, Williams emailed back with the good news: “Everything checks out with your insurance. My services will be covered at no cost to you.”

During a follow-up phone call, Glavin said, they discussed her fitness and weight loss goals and then Williams connected her with a trainer. The workouts were typical fitness exercises, she said, not treatment for a medical condition. But insurance claims show Williams billed the sessions as highly complex $300 examinations to treat “lumbago and sciatica,” a condition in which nerve pain radiates from the lower back into the legs.

He used his favorite billing code — 99215 — to bill Glavin’s insurer, United, the claims show. The code is supposed to be used less often because it requires a comprehensive examination and sophisticated medical decision-making, warranting higher reimbursement. In all, Williams used the code to bill United for more than $20.5 million — without apparently triggering any red flags at the insurer. For that code alone, the insurance giant rewarded him with $2.5 million in payments.

Eventually, Get Fit With Dave expanded to about a dozen trainers and around 1,000 patients, said a source familiar with the case. And, court records show, the checks from insurance companies, some over $100,000, kept rolling in.

Williams bought a couple of pick-up trucks, a new Harley Davidson motorcycle and a fancy house. But greed didn’t seem his only motivation. “I made $50K last week,” he wrote in a December 2014 text to a friend. “Seriously it means nothing. It is not about the money. I have had a lot taken away from me, and maybe I am trying to prove something ... Maybe it is my way of giving the finger to everyone???”

A few miles away, his former father-in-law watched Williams’ illegal business blossom with growing outrage. Pratte kept his grandson’s iPad on his desk, near his computer, and checked it every day. The texts appeared boring, even routine, but Pratte knew they were evidence of ongoing fraud.

“I have another flight attendant friend who is interested in signing up as well,” a new client texted to Williams.

“Tell him to show up with his insurance card,” Williams replied.

To Pratte, the text messages were a “gold mine.” This is the stuff that will really nail his rear end, he recalled thinking as he read the messages. He couldn’t wait to share his findings with the insurers. How often do they get cases wrapped up in a bow?

But when he and Lankford began contacting insurers, they were soon bewildered. When Pratte told Aetna that he wanted to report a case of fraud, he said the customer service representative asked for his member number, then told him non-members couldn’t report criminal activity. Lankford, who happened to be covered by Aetna, made the complaint, but they say they never heard back.

An Aetna spokesman told ProPublica that the insurer could find no record of Pratte’s call but said the company’s fraud hotline takes tips from anyone, even anonymous callers.

Lankford sent an email to Cigna’s special investigations unit in January 2015 “regarding one of your providers that concerns me.” She provided Williams’ company name, address, cellphone number, Social Security number and more, and she described his scheme. “He has no medical license or credentials,” she wrote. “He was in prison for felony theft.”

A supervisory investigator called to ask for the names of personal trainers, which Lankford provided. But, again, there was silence.

Pratte could see many of the clients worked for Southwest and had their benefits administered by United. He jotted down the name, address, phone number, birth date and member identification number of the potential clients on a yellow legal pad — all the information the insurer and Southwest would need to investigate the fraud. This is so easy, Pratte recalled thinking as he wrote down the details, all they have to do is cross-reference this.

Because Southwest self-funds its benefits, the company was on the hook for the bills, which would eventually total about $2.1 million according to a source familiar with the case. It paid United to administer the company’s plan and ensure the claims it covered were legitimate. Pratte said he called the airline in the fall of 2015 and spoke to someone in the human resources department who said they would pass the information to the right people. “That was the last I heard,” he said. Southwest declined to comment for this story. It still pays United to administer its benefits.

Pratte started calling United in the fall of 2014 and spoke to a fraud investigator who took the information with interest, he said. But within a couple of weeks he was told she moved to a different position. Pratte continued calling United over the following two years, making about a dozen calls in total, he said. “He is not a doctor,” Pratte told whoever picked up the phone. “So, I don’t see how he can be filing claims.”

In early 2015, Lankford emailed additional information to the investigator. The investigator wrote back, thanking Lankford and saying she forwarded the details to the people who research licenses. “They will investigate further,” she said in the email.

Meanwhile, the text messages showed Williams continuing to sign up — and bill for — United members.

Frustrated, Pratte made one final call to United in 2016, but he was told the case was closed. United said he’d have to call the Texas Department of Insurance for any additional details. Pratte had already filed a complaint with the regulator but reached out again. The department told him that because he hadn’t personally been defrauded, it would not be able to act on his complaint.

To Pratte, it appeared he had struck out with Aetna, United, Southwest and the Texas Department of Insurance. “I was trying to get as many people as possible to look into it as I could,” Pratte said recently. “I don’t know if that tells me they are incompetent. Or they don’t care. Or they’re too busy.”

A case summary, prepared by the Texas Department of Insurance, shows it first learned of the Williams case in January 2015 but lacked staff to investigate. A spokesman said the regulator later received Pratte’s complaint but didn’t pursue it after learning that United had already investigated and closed its case.

Meanwhile, some Get Fit With Dave clients had begun noticing odd claims on their insurance statements.

Nanette Bishop had heard about Williams when a fellow Southwest flight attendant handed her the trainer’s business card and said, “You’ve got to meet Dr. Dave.” (Bishop said the Southwest legal department advised her not to speak with ProPublica. Details about her interaction with Williams come from court records.)

Bishop said she started strong with the workouts but “fizzled” quickly. Her daughter, who was also on her plan and signed up for workouts, only did a couple sessions. Bishop said she had a hard time staying consistent because she was traveling a lot — for much of October 2014 she was in Germany. Later, she noticed in her insurance records that Williams had been paid for dozens of sessions over many months, even during the time she’d been abroad.

Bishop texted Williams in January 2015 to tell him he needed to refund all the money. “I never worked out four [times] a week and [my daughter] quit the first week of September,” she wrote. Bishop also called United and Southwest Airlines to report the overbilling.

About a month later, Williams received a letter from a subsidiary of United ordering a review Bishop’s medical records.

Another client texted Williams with concerns that her United insurance plan had been billed for 18 workouts in December 2015. That couldn’t be accurate, the woman wrote. “I had to take December off due to my work schedule and family in town,” she wrote. “I understand that people need to be paid but this seems excessive.”

While Pratte, Lankford and some of Williams’ clients repeatedly flagged bogus bills, the mammoth health insurers reacted with sloth-like urgency to the warnings. Their correspondence shows an almost palpable disinterest in taking decisive action — even while acknowledging Williams was fraudulently billing them.

Cigna appears to have been the quickest to intervene. In January 2015, Cigna sent Williams a letter, noting that he wasn’t a licensed medical provider and had misrepresented the services he provided. The insurer said he needed to pay back $175,528 and would not be allowed to continue billing.

“I just got a $175K bill in the mail,” Williams texted to a friend. “Cigna insurance has been overpaying me for the past 18 months and they want it back. I knew that they were reimbursing at too high of a rate so I can’t really complain.”

By then Williams had more than one National Provider Identifier, so he just switched numbers and kept billing Cigna. More than a year later, in May 2016, Cigna sent another letter, saying he now owed $310,309 for inappropriate payments. In total, the company paid him more than $323,000. Williams never gave any of it back. Cigna declined to comment about the Williams case.

Aetna wrote Williams in January 2015 to say it had reviewed his claims and found he wasn’t licensed, resulting in an overpayment of $337,933. The letter said there appeared to be “abusive billing” that gave “rise to a reasonable suspicion of fraud.” But the insurer also gave him a month to provide documentation to dispute the assessment. When Williams hadn’t responded in three months, an Aetna investigator wrote to Williams’ attorney, saying, “We are willing to discuss an amicable resolution of this matter,” and gave him two more weeks to respond.

That August, an Aetna attorney sent Williams’ attorney another letter, noting that Williams had submitted “fraudulent claims” and had continued to submit bills “even after his billing misconduct was identified.”

In January 2016 — a year after Aetna first contacted him — Williams agreed to a settlement that required him to refund the company $240,000 “without admission of fault or liability by either party.”

But that didn’t stop, or even appear to slow, Williams. Not only did he renege on that promise, he picked one of his other NPI numbers and continued to file claims resulting in another $300,000 in payments from Aetna. In total, Aetna paid Williams more than $608,000.

In emails, Ethan Slavin, a company spokesman, didn’t explain why Aetna settled with Williams instead of pursuing criminal prosecution. He blamed the insurer’s slow response on the lengthy settlement process and Williams’ tactic of billing under different organizations and tax identification numbers. Williams did repay some of the money before defaulting, Slavin said.

United, one of the largest companies in the country, paid out the most to Williams. The insurer brought in $226 billion last year and has a subsidiary, Optum, devoted to digging out fraud, even for other insurers. But that prowess is not reflected in its dealings with Williams.

In September 2015, United wrote to Williams, noting his lack of a license and the resulting wrongful payments, totaling $636,637. But then the insurer added a baffling condition: If Williams didn’t respond, United would pay itself back out of his “future payments.” So while demanding repayment because Williams was not a doctor, the company warned it would dock future claims he would be making as a doctor.

Williams responded a month later, noting that he had a Ph.D. in kinesiology and did rehab, so he met the qualifications of a sports medicine doctor.

United responded in November 2015 with the same argument: he wasn’t licensed and thus needed to repay the money, again warning that if he didn’t, United would “initiate repayment by offsetting future payments.”

Williams took United up on its offer. “Please offset future payments until the requested refund amount is met,” he responded.

Then Williams turned to another NPI number, records show, and continued submitting claims to United.

In January 2016, Williams agreed to settle with United and repay $630,000 in monthly installments of $10,000. Inexplicably, the agreement refers to Williams as “a provider of medical services or products licensed as appropriate under the laws of the state of TX” and notes that the settlement doesn’t terminate his continued participation in United’s programs.

In 2016, Williams obtained a new batch of NPI numbers from Medicare. As usual, he used his real name, address and credentials on the applications. The additional numbers allowed him to continue to make claims to United.

In November 2016, United investigators caught Williams again — twice. They sent two letters accusing him of filing 820 claims between May 2016 and August 2016 and demanded repayment. Again, almost inconceivably, the company threatened to cover his debt with “future payments.”

In December 2016, United notified Williams he had only repaid $90,000 of the initial $630,000 he owed and was in default. The following month, United told him he had to pay the remaining $540,000 within 20 days or he could face legal action. Williams replied, saying he wanted to renegotiate the settlement, but the insurer declined. Late that month, United said its inappropriate payments to Williams had ballooned to more than $2.3 million.

A United spokeswoman said it was difficult to stop Williams because he used variations on his name and different organizations to perpetrate the fraud. “He did everything he could not to get caught,” Maria Gordon-Shydlo said.

She acknowledged getting the complaints from Lankford and Pratte, as well as United members, but defended the response of the company, saying it had eventually referred Williams to law enforcement.

The insurer is continuing “to improve our processes and enhance our systems so we can catch these schemes on the front-end,” she said, “before a claim is paid and to recoup dollars that were paid as a result of provider misconduct.”

In all, United paid Williams more than $3.2 million — most of it after the insurer had caught him in the act.

But in reality, the losses weren’t all United’s. Most of the fraud was funded by its client, Southwest.

Many health care experts and fraud investigators said they weren’t surprised to hear that insurers were slow to stop even such an outlandish case of fraud.

“It’s just not worth it to them,” said Dr. Eric Bricker, an internist who spent years running a company that advised employers who self-funded their insurance.

For insurance behemoths pulling in billions, or hundreds of billions, in revenue, fraud that sucks away mere millions is not even a rounding error, he said.

And perhaps counter-intuitively, insurance companies are loath to offend physicians and hospitals in their all-important networks — even those accused of wrongdoing, many experts have said. They attract new clients by providing access to their networks.

This ambivalence toward fraud, Bricker and others said, is no secret. Scammers like Williams are “emblematic of gazillions of people doing variants of the same thing,” Bricker said. Insurers embolden them by using a catch-and-release approach to fraud, in which the insurers identify criminals, then let them go.

Joe Christensen has pursued fraud for both government and commercial insurers, serving as a director in Aetna’s Special Investigations Unit, a team of more than 100 people ferreting out fraud, from 2013 to 2018 and as the director of Utah’s insurance fraud division for 13 years. Fraud in government programs, like Medicare and Medicaid, gets more publicity, he said, and has dedicated arms of agencies pursuing fraudsters. But the losses may be even greater in the commercial market because the dollar levels are higher, he said.

Some commercial insurers take a passive approach, Christensen said, in part because it’s expensive to press a fraud case. At Aetna, he said, investigators would identify cases of apparent fraud, but it was up to the executives and legal team to decide how to handle them. Taking fraudsters to civil or criminal court requires resources, so the company often settled for trying to get repaid through settlements or blocking a suspect provider from billing, he said.

Christensen said while he was at Aetna, investigators almost never sought to partner with law enforcement agencies to pursue criminal cases. Last spring, he became the SIU director for a Southern California-based Medicaid plan called L.A. Care Health Plan, where he was allowed to take a proactive approach. In just about a year, he said, his much smaller team began 37 criminal investigations with law enforcement agencies. The cases are in different stages, but so far there have been seven arrests, four search warrants and one conviction. Christensen recently took a job with an insurer in Utah, where his family lives, so he could be closer to them.

ProPublica asked Aetna how many criminal cases it had pursued in 2017 and 2018. A company official said the question could not be answered because it does not track such cases.

In the spring of 2017, more than four years after Williams first began billing insurers, one of them, United, finally brought him to the attention of the FBI’s heath care fraud squad.

One May day, agents from the FBI and the newly engaged Texas Department of Insurance knocked on the door of Williams’ sprawling six-bedroom home — a spread he’d boasted to one trainer that he’d purchased with cash. Williams didn’t invite them in. He refused to answer questions, claiming his attorney had dealt with the questionable billings.

Undaunted, just days later, Williams used a freshly minted NPI number to send another bill to United. The last known claim he submitted was on June 3, 2017, according to a source familiar with the investigation.

That October, Williams’ long run came to an end when he was arrested by the FBI.

The following May, Williams’ trial began in the United States District Court for the Northern District of Texas. The prosecution didn’t have to make a complex argument. Williams had billed for non-medically necessary services and wasn’t a medical provider — a “slam dunk case” said the agent on the case.

But the testimony served as a cheat sheet for how to defraud the health insurance industry and mostly get away with it.

Without irony, the prosecutor, P.J. Meitl, argued that Williams had preyed on a health insurance system that relies “on trust, relies on honesty” when it pays claims.

He called fraud investigators from Aetna, Cigna and United, who testified that their companies auto-pay millions of claims a year. It’s not cost effective to check them, they said. “Aetna relies on the honesty of the person submitting the claim verifying that it’s true,” testified Kathy Richer, a supervisor in Aetna’s Special Investigations Unit.

In a similar manner, Medicare trusts that people who apply for NPI numbers are actually medical providers, Meitl told the jury. Medicare “does not investigate or verify whether an individual is actually a health care provider before issuing an NPI number.”

Williams’ attorney, Wes Ball, argued that the case was the sign of a “broken” health care system and blamed insurers for making a financial decision not to review Williams’ claims before paying them. United failed to protect Southwest’s money, Ball said, and “might be a vendor you might not want to hire.”

As for the NPI numbers, anyone could have checked Williams’ credentials, he said.

The jury wasn’t convinced, convicting Williams of four counts of health care fraud.

The judge sentenced him to a little more than nine years in federal prison and ordered him to pay $3.9 million in restitution to United, Aetna and Cigna.

Insurers promote themselves as guardians of health care dollars. United says on its website it wants to “help employers manage” medical expenses, resulting in “lower costs.” Aetna promises employers “affordability.” Cigna promises “increased savings.”

But private health insurers allow so much fraud that prosecutors use an idiom to describe the rare person who gets caught: “Pigs get fat, hogs get slaughtered.”

“Pigs” can steal millions, if they bill just enough to avoid notice. But if they get greedy and bill too many millions, they “become a data outlier,” said Elliott, the former fraud task force prosecutor. “You get slaughtered.”

Williams took years to reach hog status.

Part of the problem, experts say, is that health care fraud is often misunderstood as shafting greedy insurers — not the folks paying for health insurance. Ultimately, insurers don’t bear the cost. For their self-funded clients, like Southwest, they merely process the claims. For their traditionally insured clients, they can recover any losses by increasing deductibles and premiums and decreasing coverage.

Williams appears to have duped more than insurers. His twin brother, Dan Williams, recently retired as the assistant special agent in charge of the Dallas field office for criminal investigation for the Internal Revenue Service. He spent 27 years ferreting out fraud, and he gets the irony. “You’re not the first person to point that out,” he said.

Dan Williams said his brother’s sudden riches from the training business piqued his investigative instincts, but he “trusted” his brother when “he told me he was authorized to bill insurance companies.”

In his letter to ProPublica, Williams did not address the issues in the case or even acknowledge that any of his activities were wrong. Instead, he blamed his former wife. “It grieves me that the consequences of a bitter and hurtful divorce have resulted in the ending of this unprecedented and beneficial opportunity to help many people,” he wrote.

Lankford and Pratte are proud of their part in ending his scheme, if still baffled that they had to play such a central role in uncovering it.

If it hadn’t been for the iPad messages, “I have to believe he would still be billing insurance companies from a Caribbean island,” Pratte said.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


FTC Levies $5 Billion Fine, 'New Restrictions, And Modified Corporate Structure' To Hold Facebook Accountable. Will These Actions Prevent Future Privacy Abuses?

The U.S. Federal Trade Commission (FTC) announced on July 24th a record-breaking fine against Facebook, Inc., plus new limitations on the social networking service. The FTC announcement stated:

"Facebook, Inc. will pay a record-breaking $5 billion penalty, and submit to new restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its users’ privacy, to settle Federal Trade Commission charges that the company violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information... The settlement order announced [on July 24th] also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance..."

During 2018, Facebook generated after-tax profits of $22.1 billion on sales of $55.84 billion. While a $5 billion fine is a lot of money, the company can easily afford the record-breaking fine. The fine equals about one month's revenues, or a little over 4 percent of its $117 billion in assets.

U.S. Federal Trade Commission. New compliance system for Facebook. Click to view larger version The FTC announcement explained several "unprecedented" restrictions in the settlement order. First, the restrictions are designed to:

"... prevent Facebook from deceiving its users about privacy in the future, the FTC’s new 20-year settlement order overhauls the way the company makes privacy decisions by boosting the transparency of decision making... It establishes an independent privacy committee of Facebook’s board of directors, removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors."

Facebook logo Second, the restrictions mandated compliance officers:

"Facebook will be required to designate compliance officers who will be responsible for Facebook’s privacy program. These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee—not by Facebook’s CEO or Facebook employees. Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties."

Third, the new order strengthens oversight:

"... The order enhances the independent third-party assessor’s ability to evaluate the effectiveness of Facebook’s privacy program and identify any gaps. The assessor’s biennial assessments of Facebook’s privacy program must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management. The order prohibits the company from making any misrepresentations to the assessor, who can be approved or removed by the FTC. Importantly, the independent assessor will be required to report directly to the new privacy board committee on a quarterly basis. The order also authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance with the order."

Fourth, the order included six new privacy requirements:

"i) Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data; ii) Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising; iii) Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users; iv) Facebook must establish, implement, and maintain a comprehensive data security program; v) Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and vi) Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services."

Wow! Lots of consequences when a manager builds a corporation with a, "move fast and break things" culture, values, and ethics. Assistant Attorney General Jody Hunt for the Department of Justice’s Civil Division said:

"The Department of Justice is committed to protecting consumer data privacy and ensuring that social media companies like Facebook do not mislead individuals about the use of their personal information... This settlement’s historic penalty and compliance terms will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness."

There is disagreement among the five FTC commissioners about the settlement, as the vote for the order was 3 - 2. FTC Commissioner Rebecca Kelly Slaughter stated in her dissent:

"My principal objections are: (1) The negotiated civil penalty is insufficient under the applicable statutory factors we are charged with weighing for order violators: injury to the public, ability to pay, eliminating the benefits derived from the violation, and vindicating the authority of the FTC; (2) While the order includes some encouraging injunctive relief, I am skeptical that its terms will have a meaningful disciplining effect on how Facebook treats data and privacy. Specifically, I cannot view the order as adequately deterrent without both meaningful limitations on how Facebook collects, uses, and shares data and public transparency regarding Facebook’s data use and order compliance; (3) Finally, my deepest concern with this order is that its release of Facebook and its officers from legal liability is far too broad..."

FTC Commissioners Noah Joshua Phillips and Christine S. Wilson stated on July 24th in an 8-page joint statement (Adobe PDF) with Chairman Joseph J. Simons of the U.S. District Court for the District of Columbia:

"In 2012, Facebook entered into a consent order with the FTC, resolving allegations that the company misrepresented to consumers the extent of data sharing with third-party applications and the control consumers had over that sharing. The 2012 order barred such misrepresentations... Our complaint announced today alleges that Facebook failed to live up to its commitments under that order. Facebook subsequently made similar misrepresentations about sharing consumer data with third-party apps and giving users control over that sharing, and misrepresented steps certain consumers needed to take to control [over] facial recognition technology. Facebook also allowed financial considerations to affect decisions about how it would enforce its platform policies against third-party users of data, in violation of its obligation under the 2012 order... The $5 billion penalty serves as an important deterrent to future order violations... For purposes of comparison, the EU’s General Data Protection Regulation (GDPR) is touted as the high-water mark for comprehensive privacy legislation, and the penalty the FTC has negotiated is over 20 times greater than the largest GDPR fine to date... IV. The Settlement Far Exceeds What Could be Achieved in Litigation and Gives Consumers Meaningful Protections Now... Even assuming the FTC would prevail in litigation, a court would not give the Commission carte blanche to reorganize Facebook’s governance structures and business operations as we deem fit. Instead, the court would impose the relief. Such relief would be limited to injunctive relief to remedy the specific proven violations... V. Mark Zuckerberg is Being Held Accountable and the Order Cabins His Authority Our dissenting colleagues argue that the Commission should not have settled because the Commission’s investigation provides an inadequate basis for the decision not to name Mark Zuckerberg personally as a defendant... The provisions of this Order extinguish the ability of Mr. Zuckerberg to make privacy decisions unilaterally by also vesting responsibility and accountability for those decisions within business units, DCOs, and the privacy committee... the Order significantly diminishes Mr. Zuckerberg’s power — something no government agency, anywhere in the world, has thus far accomplished. The Order requires multiple information flows and imposes a robust system of checks and balances..."

Time will tell how effective the order's restrictions and $5 billion are. That Facebook can easily afford the penalty suggests the amount is a weak deterrence. If all or part of the penalty is tax-deductible (yes, tax-deductible fines have happened before to directly reduce a company's taxes), then that would weaken the deterrence effectiveness. And, if all or part of the fine is tax-deductible, then we taxpayers just paid for part of Facebook's alleged wrongdoing. I'll bet most taxpayers wouldn't want that.

Facebook stated in a July 24th news release that its second-quarter 2019 earnings included:

"... an additional $2.0 billion legal expense related to the U.S. Federal Trade Commission (FTC) settlement and a $1.1 billion income tax expense due to the developments in Altera Corp. v. Commissioner, as discussed below. As the FTC expense is not expected to be tax-deductible, it had no effect on our provision for income taxes... In July 2019, we entered into a settlement and modified consent order to resolve the inquiry of the FTC into our platform and user data practices. Among other matters, our settlement with the FTC requires us to pay a penalty of $5.0 billion and to significantly enhance our practices and processes for privacy compliance and oversight. In particular, we have agreed to implement a comprehensive expansion of our privacy program, including substantial management and board of directors oversight, stringent operational requirements and reporting obligations, and a process to regularly certify our compliance with the privacy program to the FTC. In the second quarter of 2019, we recorded an additional $2.0 billion accrual in connection with our settlement with the FTC, which is included in accrued expenses and other current liabilities on our condensed consolidated balance sheet."

"Not expected to be" is not the same as definitely not. And, business expenses reduce a company's taxable net income.

A copy of the FTC settlement order with Facebook is also available here (Adobe PDF format; 920K bytes). Plus, there is more:

"... the FTC also announced today separate law enforcement actions against data analytics company Cambridge Analytica, its former Chief Executive Officer Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company, alleging they used false and deceptive tactics to harvest personal information from millions of Facebook users. Kogan and Nix have agreed to a settlement with the FTC that will restrict how they conduct any business in the future."

Cambridge Analytica was involved in the massive Facebook data breach in 2018 when persons allegedly posed as academic researchers in order to download Facebook users' profile information they really weren't authorized to access.

What are your opinions? Hopefully, some tax experts will weigh in about the fine.


Equifax To Pay $575 Million To Settle Charges By U.S. Regulators About Massive 2017 Data Breach

U.S. Federal Trade Commission logo Yesterday, the U.S. Federal Trade Commission (FTC) announced a proposed settlement agreement with Equifax, a national credit reporting agency, which has agreed to pay $575 million to resolve charges about its massive data breach in 2017. That breach exposed the sensitive personal and financial information of about half of all citizens in the United States. The announcement stated:

"In its complaint, the FTC alleges that Equifax failed to secure the massive amount of personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud..."

U.S. Consumer Financial Protection Bureau The global, proposed settlement agreement included the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories. The FTC announcement described Equifax's data security failures (emphasis added):

"The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data. Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, Equifax did not follow up to ensure the order was carried out... Equifax did not discover that its ACIS database was unpatched until July 2017... A company investigation revealed that multiple hackers were able to exploit the ACIS vulnerability to gain entry to Equifax’s network, where they accessed an unsecured file that included administrative credentials stored in plain text. These credentials allowed the hackers to gain access to vast amounts of consumers’ personally identifiable information... The hackers targeted Social Security numbers, dates of birth, and other sensitive information, mostly from consumers who had purchased products from Equifax such as credit scores, credit monitoring, or identity theft prevention services. For example, hackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates. Hackers were able to access a staggering amount of data because Equifax failed to implement basic security measures... the FTC also alleges that Equifax stored network credentials and passwords, as well as Social Security numbers and other sensitive consumer information, in plain text."

A truly staggering amount. The most sensitive personal and financial information, indeed. Terms of the proposed settlement:

"... Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach. Equifax will add up to $125 million to the fund if the initial payment is not enough to compensate consumers for their losses. In addition, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide."

The settlement also requires Equifax implement a "comprehensive information security plan," and to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties. The comprehensive information security plan will: a) designate an employee to oversee the program; b) include annual assessment of security risks and safeguards; c) obtain "annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order;" d) monitor the effectiveness of security safeguards implemented; e) ensure service providers that access personal information stored by Equifax also implement adequate safeguards; and f) obtain third-party assessments every two years.

The CFPB also announced the proposed settlement on its website. CFPB Director Kathleen L. Kraninger said:

"Today’s announcement is not the end of our efforts to make sure consumers’ sensitive personal information is safe and secure. The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers. Too much is at stake for the financial security of the American people to make these protections anything less than a top priority."

Kraninger also encouraged consumers affected by the breach to submit their claims to receive free credit monitoring or cash reimbursements. Equifax Chief Executive Officer Mark W. Begor said:

"This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company. The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data... We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program..."

Also, Equifax has set up a website about the settlement: www.equifaxbreachsettlement.com. However, the site says it won't be fully functional until after it receives the approved court order. So, it seems best for affected consumers to deal directly with the FTC.

And, several questions remain. The Identity Theft Resource Center (ITRC) discussed the proposed settlement:

"What victims will qualify for reimbursement? How will victims provide accurate evidence of their efforts and misfortunes? Is this fund only for victims who purchased identity theft services? What is the option for victims who did not have the resources then or now to purchase paid services or avail themselves of free services like those ITRC provides? If all victims filed claims and funds were distributed equally to all 148 million people, each would receive fewer than $3.00 in funds or cost of assistance. This does not accurately reflect the true value of the data that was compromised..."

Yep. More payments by Equifax may be required.

And, the ITRC article includes an important reminder. While the Equifax offer includes a long period of free credit monitoring services -- up to 10 versus the usual 2 years -- the risk to affected consumers never goes away:

"... identity theft has no expiration date. The threat of identity theft does not decrease as more time passes from the date of the breach."

This is why it is critical for companies to deploy the strongest data security measures possible. After data breaches, consumers bear the long-term risks.

Last, the FTC encourages Equifax employees who believe the company fails to comply with the settlement to contact the FTC at equifax@ftc.gov. Affected consumers should contact the FTC directly at the website below:

F.T.C. instructions for consumers affected by Equifax breach


Low-Wage Workers Are Being Sued for Unpaid Medical Bills by a Nonprofit Christian Hospital That Employs Them

[Editor's note: today's guest post, by reporters at ProPublica, discusses business practices within the healthcare industry, and related issues of wages and debt collection. It is reprinted with permission.]

By Wendi C. Thomas, MLK50

MEMPHIS, Tennessee — This year, a Methodist Le Bonheur Healthcare housekeeper left her job just three hours into her shift and caught a bus to Shelby County General Sessions Court. Wearing her black and gray uniform, she had a different kind of appointment with her employer: The hospital was suing her for unpaid medical bills.

In 2017, the nonprofit hospital system based in Memphis sued the woman for the cost of hospital stays to treat chronic abdominal pain she experienced before the hospital hired her. She now owes Methodist more than $23,000, including around $5,800 in attorney’s fees.

It’s surreal, she said, to be sued by the organization that pays her $12.25 an hour. “You know how much you pay me. And the money you’re paying, I can’t live on,” said the housekeeper, who asked that her name not be used for fear that the hospital would fire her for talking to a reporter.

From 2014 through 2018, the hospital system affiliated with the United Methodist Church has filed more than 8,300 lawsuits against patients, including its own workers. After winning judgments, it has sought to garnish the wages of more than 160 Methodist workers and has actually done so in more than 70 instances over that time, according to an MLK50-ProPublica analysis of Shelby County General Sessions Court records, online docket reports and case files.

Some of the debts were accrued while the employees worked at Methodist; others predated their time there. The figures do not include debts incurred by onetime Methodist employees who have since moved on.

Between January and mid-June, a reporter observed more than a dozen Methodist employees in court to defend themselves in suits brought by the hospital over hospital bills.

That includes a Methodist Le Bonheur employee who owes more than $1,200. In January, she proposed paying $100 a month, even though her sworn affidavit listed monthly expenses that exceeded her $1,650 monthly income. After conferring with an attorney for Methodist, Judge Betty Thomas Moore agreed to the worker’s proposal, but she has already missed a payment.

A few weeks later, a Methodist employee appeared for an initial hearing wearing hospital scrubs. The hospital had sued her for more than $4,000. When she left the courtroom, she was annoyed. Her employer knew where she worked, she said, and should have contacted her before suing her. “I don’t know why they can’t come upstairs,” she said outside the courtroom.

And in May, an employee who has worked for Methodist for more than four years carried a large envelope full of bills with her into the courtroom. She owed more than $5,400, which included a 2017 hospital charge from the newborn unit. That is the same year that her daughter was born, according to her sworn affidavit, which also listed a checking account balance of less than $4. She offered to pay $10 biweekly, or $20 most months, but Methodist’s attorney wanted $200 per month. The judge ordered her to pay $100 per month.

It’s not uncommon for hospitals to sue patients over unpaid debts, but what is striking at Methodist, the largest hospital system in the Memphis region, is how many of those patients end up being its own employees. Hardly a week goes by in which Methodist workers aren’t on the court docket fighting debt lawsuits filed by their employer.

Making matters worse, employees say, is that Methodist’s health insurance benefits only allow employees to seek medical care at Methodist facilities, even though the financial assistance policies at its competitors are more generous.

An expert in hospital billing practices said that if the hospital is suing a fair number of its own employees, it’s time to look both at the insurance provided to workers and the pay scale.

“One would hope that if this is an action being taken against a significant amount of employees, the hospital would look at the insurance they provide workers,” said Mark Rukavina, an expert in nonprofit hospitals and a manager at Community Catalyst, a health care advocacy organization.

Methodist declined requests for an interview. It did not respond to specific written questions about the lawsuits it files against its workers or about how its policies reflect the values of the United Methodist Church. Instead, in a statement, it said it is committed to working with patients who are having trouble paying their medical bills.

“As the second largest private employer in Shelby County, we recognize the responsibility we have as an organization to contribute to the success of the diverse communities we serve and are purposeful about creating jobs in our community — intentionally choosing to keep services like printing, laundry and others in-house that are typically outsourced by the healthcare industry,” the hospital said.

Methodist also declined to answer a question about whether it has any policy that prohibits employees being sued by Methodist from talking to a reporter about the lawsuits filed against them by the hospital.

Employer and Legal Adversary

On a single January day, there were 10 defendants on the docket whose place of employment was listed in court records as Methodist.

Employees in scrubs sat just feet away from the attorneys in dress suits whom their employer hired to sue them. The hospital’s role as a tax-exempt organization that both employs the defendants and is suing them went unremarked upon by judges, attorneys and the defendants themselves.

Methodist’s financial assistance policy stands out from peers in Memphis and across the country, MLK50 and ProPublica found. The policy offers no assistance for patients with any form of health insurance, no matter their out-of-pocket costs. Under Methodist’s insurance plan, employees are responsible for a $750 individual deductible and then 20% of inpatient and outpatient costs, up to a maximum out-of-pocket cost of $4,100 per year.

The housekeeper’s story is documented in Shelby County General Sessions Court records, including online docket reports and online payment history. A reporter interviewed the housekeeper multiple times in person and on the phone. The employee gave the reporter six years of itemized Methodist hospital bills, her credit report and other past-due medical bills. Most of her debts were incurred before she started working at Methodist.

Five times between 2012 and 2014, she visited the hospital for stomach problems, according to the itemized bills. (Years later, she had surgery to treat diverticulitis.) At those times, she had insurance through her job at a hotel, where she cleaned rooms for $10.66 an hour. After insurance paid its share, she owed just over $17,500.

In 2015, the housekeeper left the hotel job and lost her insurance. Three times that year she went to Methodist’s ER, but since she was uninsured and had little income, she qualified for financial assistance. Methodist wrote off more than $45,000 in hospital bills.

In a statement, Methodist said it gives an automatic 70% discount to uninsured patients and free care to uninsured patients at or below 125% of the federal poverty guidelines. For a single adult with two dependents, that would be just over $26,600. Uninsured patients who earn more than that, but less than twice the poverty limit, are also eligible for discounts, it said.

In 2016, unable to find work, the housekeeper left Memphis. For more than a year, she said, she and her son were homeless, bouncing between relatives in Chicago, where she was born, and Texas.

But she missed her daughter and grandchildren in Memphis, so in 2017, she returned. In August 2017, Methodist sued her for the bills she accumulated when she was insured years earlier. Later that month, she was hired at a Methodist hospital, starting at $11.95 an hour.

The hospital’s collections agency, which it owns, didn’t have her correct address and was unable to serve notice that she had been sued, but last year, Methodist tried again. This time, it had the right address.

In November, a process server handed her the civil warrant at her South Memphis apartment.

At the process server’s recommendation, she called the hospital’s collection agency and offered to pay $50 every two weeks. “But they said it wasn’t enough,” she recalled. “I would just have to go to court. They said I’d be owing them all my life,” she recalled.

In a sworn affidavit filed with the court this year, the housekeeper listed her dependents as a grandson and her 27-year-old son, who she said has bipolar disorder and schizophrenia. She told the court she earned $16,000 in 2017, which puts her more than $4,000 below that year’s federal poverty level for a family of three. (Because she had insurance, though, she was ineligible for assistance under the hospital’s policy.)

Fred Morton, a retired Methodist minister in Memphis, said he was surprised to learn that Methodist is suing its own employees.

“The employees should be paid an adequate minimum wage at the very least,” he said. “Certainly they should not be predatory to their own employees on medical bills. That’s very much contrary to Scripture.”

He said that Methodist bishops who serve on its board bear responsibility for reminding it of the denomination’s values. “It’s a matter of the church pushing on its own,” Morton said.

Three United Methodist Church bishops serve on the hospital’s board. Bishop Gary Mueller’s office referred a reporter to Methodist Le Bonheur Healthcare’s communications office. Bishop Bill McAilly declined to comment. Bishop James E. Swanson did not respond to multiple requests for comment.

When the housekeeper appeared before a General Sessions Court judge this year, she’d filed a motion offering to pay $50 biweekly, or $100 in most months. When the hospital’s attorney asked for a $200 per month, she was stunned.

“This is my only job, this is my only income, so how am I supposed to live?” she remembered thinking.

Nervous that the judge would side with the hospital, the housekeeper made another offer.

“I could do $75 every two weeks,” she said quickly. The attorney agreed and the judge signed the order.

Being an employee and defendant is “really kind of sad,” the housekeeper said. Asked how she manages to make ends meet, she says she doesn’t. “It’s killing me, killing me softly,” she said.

She said she didn’t reach out to the hospital’s payroll department or a manager about the hospital bills she’s being sued for. “They don’t care about that... That I do know.”

“I Don’t Want to Be Homeless Again”

Part of what makes paying medical bills so hard for some Methodist employees is that their wages are low, lagging behind several other large employers in the Memphis market. In December, St. Jude Children’s Research Hospital announced it was raising its minimum pay for full and part-time workers to $15 an hour. St. Jude’s decision followed a similar commitment by the Shelby County government, Shelby County Schools and Blue Cross Blue Shield of Tennessee.

At Methodist, which operates five hospitals in Shelby County, the lowest-paid employees make $10 an hour and about 18% of workers make less than $15 an hour, the hospital reported in response to MLK50’s 2018 Living Wage Survey.

As recently as 2017, the Greater Memphis Chamber advertised on its website that the city offered a workforce at “wage rates that are lower than most other parts of the country.”

The United Methodist Church’s Social Principles, which state the denomination’s position on everything from climate change to the death penalty, speak directly to what employees should earn. “Every person has the right to a job at a living wage,” it states.

The Living Wage Model statement on the church’s website says, “Exploitation or underpayment of workers is incompatible with Christ’s commandment to love our neighbor.”

Methodist, which made Forbes’ 2019 list of Best Employers by State, did not answer specific questions about pay for employees. On its website, it says, “It is the policy of Methodist Le Bonheur Healthcare to pay its employees competitive, market-based wages.”

Neither Methodist, nonprofit Baptist Memorial Healthcare or Regional One, the public hospital, pay all their employees at least $15 an hour. Even that figure would make it impossible to make ends meet for an employee trying alone to support a household with dependents, according to MIT’s Living Wage Calculator and another created by the Economic Policy Institute, both of which take into account local living expenses.

The housekeeper’s $12.25 an hour pay falls well short of that. Without overtime, she said her take-home pay would be around $1,600 per month. Her rent is $610.

Even with as much overtime as she gets, she’s turned to payday loans. Since December, she’s renewed a $425 payday loan every two weeks, paying $71 each time. “You have to rob from Paul to pay Peter,” she said. “It doesn’t never seem like you can get ahead.”

The housekeeper applied for a job at Walmart but was told the store nearest her is not accepting applications. She doubts the pay will be any better, but she hopes it’ll be less stressful.

"Times be hard, because sometimes my body feels like I can’t make it, but I get up anyway, because I don’t want to be homeless again."

 

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


2 Healthcare Software Providers Agree To Settlement With 16 States' Attorneys General To Resolve Charges About 2015 Data Breach

The Attorney General's Office for the State of Arizona announced last month a major settlement agreement with two healthcare software providers: Medical Informatics Engineering Inc. and its subsidiary, NoMoreClipboard, LLC (hereafter, referred to jointly as "MIE") following a massive data breach at MIE in 2015.  The press release by AG Mike Brnovich stated:

"The settlement resolves a bipartisan lawsuit filed by Arizona and 15 other states against MIE relating to a 2015 data breach, which was the first such multistate lawsuit involving claims under the federal Health Insurance Portability and Accountability Act ("HIPAA"). As a result of the settlement, MIE will pay $900,000 to the states, and it has agreed to a comprehensive injunction requiring the implementation of significant data-security improvements."

Medical Informatics Engineering logo The case was filed in the U.S. District Court for the Northern District of Indiana, where MIE is headquartered. States involved in the joint lawsuit and settlement included Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The data breach occurred between May 7, 2015, and May 26, 2015, when hackers broke into WebChart, a web application by MIE and stole:

"... the electronic Protected Health Information ("ePHI") of more than 3.9 million individuals, including roughly 26,000 Arizonans. Stolen ePHI included names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (name and potentially date of birth), email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics."

The consent order and judgment is available here. Indiana’s share was $174,745.29. Indiana AG Curtis Hill said:

"Hoosier consumers trust us to look out for their interests... Once again, we have acted on their behalf to pursue the appropriate penalties and remedies available under the law. We hope our proactive measures serve to motivate all companies doing business in Indiana to exercise the highest possible ethics and the utmost diligence in making sure their systems are safe and secure."


Google Home Devices Recorded Users' Conversations. Legal Questions Result. Google Says It Is Investigating

Many consumers love the hands-free convenience of smart speakers. However, there are risks with the technology. BBC News reported on Thursday:

"Belgian broadcaster VRT exposed the recordings made by Google Home devices in Belgium and the Netherlands... VRT said the majority of the recordings it reviewed were short clips logged by the Google Home devices as owners used them. However, it said, 153 were "conversations that should never have been recorded" because the wake phrase of "OK Google" was not given. These unintentionally recorded exchanges included: a) blazing rows; b) bedroom chatter; c) parents talking to their children; d) phone calls exposing confidential information. It said it believed the devices logged these conversations because users said a word or phrase that sounded similar to "OK Google" that triggered the device..."

So, conversations that shouldn't have been recorded were recorded by Google Home devices. Consumers use the devices to perform and control a variety of tasks, such as entertainment (e.g., music, movies, games), internet searches (e.g., cooking recipes), security systems and cameras, thermostats, window blinds and shades, appliances (e.g., coffee makers), online shopping, internet searches, and more.

The device software doesn't seem accurate, since it mistook similar phrases as wake phrases. Google calls these errors "false accepts." Google replied in a blog post:

"We just learned that one of these language reviewers has violated our data security policies by leaking confidential Dutch audio data. Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards... We apply a wide range of safeguards to protect user privacy throughout the entire review process. Language experts only review around 0.2 percent of all audio snippets. Audio snippets are not associated with user accounts as part of the review process, and reviewers are directed not to transcribe background conversations or other noises, and only to transcribe snippets that are directed to Google."

"The Google Assistant only sends audio to Google after your device detects that you’re interacting with the Assistant—for example, by saying “Hey Google” or by physically triggering the Google Assistant... Rarely, devices that have the Google Assistant built in may experience what we call a “false accept.” This means that there was some noise or words in the background that our software interpreted to be the hotword (like “Ok Google”). We have a number of protections in place to prevent false accepts from occurring in your home... We also provide you with tools to manage and control the data stored in your account. You can turn off storing audio data to your Google account completely, or choose to auto-delete data after every 3 months or 18 months..."

To be fair, Google is not alone. Amazon Alexa devices also record and archive users' conversations. Would you want your bedroom chatter recorded (and stored indefinitely)? Or your conversations with your children? Many persons work remotely from home, so would you want business conversations with coworkers recorded? I think not. Very troubling news.

And, there is more.

This data security incident confirms that human workers listen to recordings by Google Assistant devices. Those workers can be employees or outsourced contractors. Who are these contractors, by name? What methods does Google employ to confirm privacy compliance by contractors? So many unanswered questions.

Also, according to U.S. News & World Report:

"Google's recording feature can be turned off, but doing so means Assistant loses some of its personalized touch. People who turn off the recording feature lose the ability for the Assistant to recognize individual voices and learn your voice pattern. Assistant recording is actually turned off by default — but the technology prompts users to turn on recording and other tools in order to get personalized features."

So, to get the full value of the technology, users must enable recordings. That sounds a lot like surveillance by design. Not good. You'd think that Google software developers would have developed a standard vocabulary, or dictionary, in several languages (by beta test participants) to test the accuracy of Assistant software; rather than review users' actual conversations. I guess they viewed it easier, faster, and cheaper to snoop on users.

Since Google already scans the contents of Gmail users' email messages, maybe this is simply technology creep and Google assumed nobody would mind human reviews of Assistant recordings.

About the review of recordings by human workers, the M.I.T. Technology Review said:

"Legally questionable: Because Google doesn’t inform users that humans review recordings in this way, and thus doesn’t seek their explicit consent for the practice, it’s quite possible that it could be breaking EU data protection regulations. We have asked Google for a response and will update if we hear back."

So, it will be interesting to see what European Union regulators have to say about the recordings and human reviews.

To summarize: consumers have willingly installed perpetual surveillance devices in their homes. What are your views of this data security incident? Do you enable recordings on your smart speakers? Should human workers have access to archives of your recorded conversations?


Aggression Detectors: What They Are, Who Uses Them, And Why

Sound Intelligence logo Like most people, you probably have not heard of "aggression detectors." What are these devices? Who makes them? Who uses these devices and why? What consumers are affected?

To answer these questions, ProPublica explained who makes the devices and why:

"In response to mass shootings, some schools and hospitals are installing microphones equipped with algorithms. The devices purport to identify stress and anger before violence erupts... By deploying surveillance technology in public spaces like hallways and cafeterias, device makers and school officials hope to anticipate and prevent everything from mass shootings to underage smoking... Besides Sound Intelligence, South Korea-based Hanwha Techwin, formerly part of Samsung, makes a similar “scream detection” product that’s been installed in American schools. U.K.-based Audio Analytic used to sell its aggression- and gunshot-detection software to customers in Europe and the United States... Sound Intelligence CEO Derek van der Vorst said security cameras made by Sweden-based Axis Communications account for 90% of the detector’s worldwide sales, with privately held Louroe making up the other 10%... Mounted inconspicuously on the ceiling, Louroe’s smoke-detector-sized microphones measure aggression on a scale from zero to one. Users choose threshold settings. Any time they’re exceeded for long enough, the detector alerts the facility’s security apparatus, either through an existing surveillance system or a text message pinpointing the microphone that picked up the sound..."

Louroe Electronics logo The microphone-equipped sensors have been installed in a variety of industries. The Sound Intelligence website listed prisons, schools, public transportation, banks, healthcare institutes, retail stores, public spaces, and more. Louroe Electronics' site included a similar list plus law enforcement.

The ProPublica article also discussed several key issues. First, sensor accuracy and its own tests:

"... ProPublica’s analysis, as well as the experiences of some U.S. schools and hospitals that have used Sound Intelligence’s aggression detector, suggest that it can be less than reliable. At the heart of the device is what the company calls a machine learning algorithm. Our research found that it tends to equate aggression with rough, strained noises in a relatively high pitch, like [a student's] coughing. A 1994 YouTube clip of abrasive-sounding comedian Gilbert Gottfried ("Is it hot in here or am I crazy?") set off the detector, which analyzes sound but doesn’t take words or meaning into account... Sound Intelligence and Louroe said they prefer whenever possible to fine-tune sensors at each new customer’s location over a period of days or weeks..."

Second, accuracy concerns:

"[Sound Intelligence CEO] Van der Vorst acknowledged that the detector is imperfect and confirmed our finding that it registers rougher tones as aggressive. He said he “guarantees 100%” that the system will at times misconstrue innocent behavior. But he’s more concerned about failing to catch indicators of violence, and he said the system gives schools and other facilities a much-needed early warning system..."

This is interesting and troubling. Sound Intelligence's position seems to suggest that it is okay for sensor to miss-identify innocent persons as aggressive in order to avoid failures to identify truly aggressive persons seeking to do harm. That sounds like the old saying: the ends justify the means. Not good. The harms against innocent persons matters, especially when they are young students.

Yesterday's blog post described a far better corporate approach. Based upon current inaccuracies and biases with the technology, a police body camera assembled an ethics board to help guide its decisions regarding the technology; and then followed that board's recommendations not to implement facial recognition in its devices. When the inaccuracies and biases are resolved, then it would implement facial recognition.

What ethics boards have Sound Intelligence, Louroe, and other aggression detector makers utilized?

Third, the use of aggression detectors raises the issue of notice. Are there physical postings on-site at schools, hospitals, healthcare facilities, and other locations? Notice seems appropriate, especially since almost all entities provide notice (e.g., terms of service, privacy policy) for visitors to their websites.

Fourth, privacy concerns:

"Although a Louroe spokesman said the detector doesn’t intrude on student privacy because it only captures sound patterns deemed aggressive, its microphones allow administrators to record, replay and store those snippets of conversation indefinitely..."

I encourage parents of school-age children to read the entire ProPublica article. Concerned parents may demand explanations by school officials about the surveillance activities and devices used within their children's schools. Teachers may also be concerned. Patients at healthcare facilities may also be concerned.

Concerned persons may seek answers to several issues:

  • The vendor selection process, which aggression detector devices were selected, and why
  • Evidence supporting the accuracy of aggression detectors used
  • The school's/hospital's policy, if it has one, covering surveillance devices; plus any posted notices
  • The treatment and rights of wrongly identified persons (e.g., students, patients,, visitors, staff) by aggression detector devices
  • Approaches by the vendor and school to improve device accuracy for both types of errors: a) wrongly identified persons, and b) failures to identify truly aggressive or threatening persons
  • How long the school and/or vendor archive recorded conversations
  • What persons have access to the archived recordings
  • The data security methods used by the school and by the vendor to prevent unauthorized access and abuse of archived recordings
  • All entities, by name, which the school and/or vendor share archived recordings with

What are your opinions of aggression detectors? Of device inaccuracy? Of the privacy concerns?


Police Body Cam Maker Says It Won't Use Facial Recognition Due To Problems With The Technology

We've all heard of the following three technologies: police body cameras, artificial intelligence, and facial recognition software. Across the nation, some police departments use body cameras.

Do the three technologies go together -- work well together? The Washington Post reported:

"Axon, the country’s biggest seller of police body cameras, announced that it accepts the recommendation of an ethics board and will not use facial recognition in its devices... the company convened the independent board last year to assess the possible consequences and ethical costs of artificial intelligence and facial-recognition software. The board’s first report, published June 27, concluded that “face recognition technology is not currently reliable enough to ethically justify its use” — guidance that Axon plans to follow."

So, a major U.S. corporation assembled an ethics board to guide its activities. Good. That's not something you read about often. Then, the same corporation followed that board's advice. Even better.

Why reject using facial recognition with body cameras? Axon explained in a statement:

"Current face matching technology raises serious ethical concerns. In addition, there are technological limitations to using this technology on body cameras. Consistent with the board's recommendation, Axon will not be commercializing face matching products on our body cameras at this time. We do believe face matching technology deserves further research to better understand and solve for the key issues identified in the report, including evaluating ways to de-bias algorithms as the board recommends. Our AI team will continue to evaluate the state of face recognition technologies and will keep the board informed about our research..."

Two types of inaccuracies occur with facial recognition software: i) persons falsely identified (a/k/a "false positives;" and ii) persons not identified (a/k/a "false negatives) who should have been identified. The ethics board's report provided detailed explanations:

"The truth is that current technology does not perform as well on people of color compared to whites, on women compared to men, or young people compared to older people, to name a few disparities. These disparities exist in both directions — a greater false positive rate and false negative rate."

The ethics board's report also explained the problem of bias:

"One cause of these biases is statistically unrepresentative training data — the face images that engineers use to “train” the face recognition algorithm. These images are unrepresentative for a variety of reasons but in part because of decisions that have been made for decades that have prioritized certain groups at the cost of others. These disparities make real-world face recognition deployment a complete nonstarter for the Board. Until we have something approaching parity, this technology should remain on the shelf. Policing today already exhibits all manner of disparities (particularly racial). In this undeniable context, adding a tool that will exacerbate this disparity would be unacceptable..."

So, well-meaning software engineers can create bias in their algorithms by using sets of images that are not representative of the population. The ethic board's 42-page report titled, "First Report Of The Axon A.I. & Policing Technology Ethics Board" (Adobe PDF; 3.1 Megabytes) listed six general conclusions:

"1: Face recognition technology is not currently reliable enough to ethically justify its use on body-worn cameras. At the least, face recognition technology should not be deployed until the technology performs with far greater accuracy and performs equally well across races, ethnicities, genders, and other identity groups. Whether face recognition on body-worn cameras can ever be ethically justifiable is an issue the Board has begun to discuss in the context of the use cases outlined in Part IV.A, and will take up again if and when these prerequisites are met."

"2: When assessing face recognition algorithms, rather than talking about “accuracy,” we prefer to discuss false positive and false negative rates. Our tolerance for one or the other will depend on the use case."

"3: The Board is unwilling to endorse the development of face recognition technology of any sort that can be completely customized by the user. It strongly prefers a model in which the technologies that are made available are limited in what functions they can perform, so as to prevent misuse by law enforcement."

"4: No jurisdiction should adopt face recognition technology without going through open, transparent, democratic processes, with adequate opportunity for genuinely representative public analysis, input, and objection."

"5: Development of face recognition products should be premised on evidence-based benefits. Unless and until those benefits are clear, there is no need to discuss costs or adoption of any particular product."

"6: When assessing the costs and benefits of potential use cases, one must take into account both the realities of policing in America (and in other jurisdictions) and existing technological limitations."

The board included persons with legal, technology, law enforcement, and civil rights backgrounds; plus members from the affected communities. Axon management listened to the report's conclusions and is following the board's recommendations (emphasis added):

"Respond publicly to this report, including to the Board’s conclusions and recommendations regarding face recognition technology. Commit, based on the concerns raised by the Board, not to proceed with the development of face matching products, including adding such capabilities to body-worn cameras or to Axon Evidence (Evidence.com)... Invest company resources to work, in a transparent manner and in tandem with leading independent researchers, to ensure training data are statistically representative of the appropriate populations and that algorithms work equally well across different populations. Continue to comply with the Board’s Operating Principles, including by involving the Board in the earliest possible stages of new or anticipated products. Work with the Board to produce products and services designed to improve policing transparency and democratic accountability, including by developing products in ways that assure audit trails or that collect information that agencies can release to the public about their use of Axon products..."

Admirable. Encouraging. The Washington Post reported:

"San Francisco in May became the first U.S. city to ban city police and agencies from using facial-recognition software... Somerville, Massachusetts became the second, with other cities, including Berkeley and Oakland, Calif., considering similar measures..."

Clearly, this topic bears monitoring. Consumers and government officials are concerned about accuracy and bias. So, too, are some corporations.

And, more news seems likely. Will other technology companies and local governments utilize similar A.I. ethics boards? Will schools, healthcare facilities, and other customers of surveillance devices demand products with accuracy and without bias supported by evidence?


Evite Admitted Data Breach. Doesn't Disclose The Number Of Users Affected

Evite logo Evite, the online social and invitations site, disclosed last month a data breach affecting some of its users:

"We became aware of a data security incident involving potential unauthorized access to our systems in April 2019. We engaged one of the leading data security firms and launched a thorough investigation. The investigation potentially traced the incident to malicious activity starting on February 22, 2019. On May 14, 2019, we concluded that an unauthorized party had acquired an inactive data storage file associated with our user accounts... Upon discovering the incident, we took steps to understand the nature and scope of the issue, and brought in external forensic consultants that specialize in cyber-attacks. We coordinated with law enforcement regarding the incident, and are working with leading security experts to address any vulnerabilities..."

Evite was founded in 1998, so there could be plenty of users affected. The breach announcement did not disclose the number of users affected.

The Evite breach announcement also said, "No user information more recent than 2013 was contained in the file" which was accessed/stolen by unauthorized persons. Evite said it has notified affected users, and has reset the passwords of affected users. The Evite system will prompt affected users to create new passwords when signing into the service.

The announcement listed the data elements accessed/stolen: names, usernames, email addresses, and passwords. If users also entered their birth dates, phone numbers, and mailing addresses then those data elements were also access/stolen. Social Security numbers were not affected since Evite doesn't collect this data. Evite said payment information (e.g., credit cards, debit cards, bank accounts, etc.) was not affected because:

"We do not store financial or payment information. If you opted to store your payment card in your account, your payment information is maintained by and stored on the internal systems of our third-party vendor."

Thank goodness for small wonders. The Evite disclosure did not explain why passwords were not encrypted, nor if that or other data elements would be encrypted in the future. As with any data breach, context matters. ZD Net reported:

"... a hacker named Gnosticplayers put up for sale the customer data of six companies, including Evite. The hacker claimed to be selling ten million Evite user records that included full names, email addresses, IP addresses, and cleartext passwords. ZDNet reached out to notify Evite of the hack and that its data was being sold on the dark web on April 15; however, the company never returned our request for comment... Back in April, the data of 10 million Evite users was put up for sale on a dark web marketplace for ฿0.2419 (~$1,900). The same hacker has breached, stolen, and put up for sale the details of over one billion users from many other companies, including other major online services, such as Canva, 500px, UnderArmor, ShareThis, GfyCat, Ge.tt, and others."

The incident is another reminder of the high value of consumers' personal data, and that hackers take action quickly to use or sell stolen data.


FTC Urged To Rule On Legality Of 'Secret Surveillance Scores' Used To Vary Prices By Each Online Shopper

Nobody wants to pay too much for a product. If you like online shopping, you may have been charged higher prices than your neighbors. Gizmodo reported:

"... researchers have documented and studied the use of so-called "surveillance scoring," the shadowy, but widely adopted practice of using computer algorithms that, in commerce, result in customers automatically paying different prices for the same product. The term also encompasses tactics used by employers and landlords to deny applicants jobs and housing, respectively, based on suggestions an algorithm spits out. Now experts allege that much of this surveillance scoring behavior is illegal, and they’re are asking the Federal Trade Commission (FTC) to investigate."

"In a 38-page petition filed last week, the Consumer Education Foundation (CEF), a California nonprofit with close ties to the group Consumer Watchdog, asked the FTC to explore whether the use of surveillance scores constitute “unfair or deceptive practices” under the Federal Trade Commission Act..."

The petition is part of a "Represent Consumers" (RC) program.

Many travelers have experienced dynamic pricing, where airlines vary fares based upon market conditions: when demand increases, prices go up; when demand decreases, prices go down. Similarly, when there are many unsold seats (e.g., plenty of excess supply), prices go down. But that dynamic pricing does not vary for each traveler.

Pricing by each person raises concerns of price discrimination. The legal definition of price discrimination in the United States:

"A seller charging competing buyers different prices for the same "commodity" or discriminating in the provision of "allowances" — compensation for advertising and other services — may be violating the Robinson-Patman Act... Price discriminations are generally lawful, particularly if they reflect the different costs of dealing with different buyers or are the result of a seller's attempts to meet a competitor's offering... There are two legal defenses to these types of alleged Robinson-Patman violations: (1) the price difference is justified by different costs in manufacture, sale, or delivery (e.g., volume discounts), or (2) the price concession was given in good faith to meet a competitor's price."

Airlines have wanted to extend dynamic pricing to each person, and "surveillance scores" seem perfectly suited for the task. The RC petition is packed with information which is instructive for consumers to learn about the extent of the business practices. First, the petition described the industry involved:

"Surveillance scoring starts with "analytics companies," the true number of which is unknown... these firms amass thousands or even tens of thousands of demographic and lifestyle data points about consumers, with the help of an estimated 121 data brokers and aggregators... The analytics firms use algorithms to categorize, grade, or assign a numerical value to a consumer based on the consumer’s estimated predicted behavior. That score then dictates how a company will treat a consumer. Consumers deemed to be less valuable are treated poorly, while consumers with better “grades” get preferential treatment..."

Second, the RC petition cited a study which identified 44 different types of proprietary surveillance scores used by industry participants to predict consumer behavior. Some of the score types (emphasis added):

"The Medication Adherence Score, which predicts whether a consumer is likely to follow a medication regimen; The Health Risk Score, which predicts how much a specific patient will cost an insurance company; The Consumer Profitability Score, which predicts which households may be profitable for a company and hence desirable customers; The Job Security Score, which predicts a person’s future income and ability to pay for things; The Churn Score, which predicts whether a consumer is likely to move her business to another company; The Discretionary Spending Index, which scores how much extra cash a particular consumer might be able to spend on non-necessities; The Invitation to Apply Score, which predicts how likely a consumer is to respond to a sales offer; The Charitable Donor Score, which predicts how likely a household is to make significant charitable donations; and The Pregnancy Predictor Score, which predicts the likelihood of someone getting pregnant."

It is important to note that the RC petition does not call for a halt in the collection of personal data about consumers. Rather, it asks the FTC, "to investigate and prohibit the targeting of consumers’ private data against them after it has been collected." Clarity is needed about what is, and is not, legal when consumers' personal data is used against them.

Third, the RC petition also cited published studies about pricing discrimination:

"An early seminal study of price discrimination published by researchers at Northeastern University in 2014 (Northeastern Price Discrimination Study) examined the pricing practices of e-commerce websites. The researchers developed a software-based methodology for measuring price discrimination and tested it with 300 real-world users who shopped on 16 popular e-commerce websites.37 Of ten different general retailers tested in 2014, only one –- Home Depot –- was confirmed to be engaging in price discrimination. Home Depot quoted prices to mobile-device users that were approximately $100 more than those quoted to desktop users.39 The researchers were unable to ascertain why... The Northeastern Price Discrimination Study also found that “human shoppers got worse bargains on a number of websites,”compared to an automated shopping browser that did not have any personal data trail associated with it,42 validating that Home Depot was considering shoppers’ personal data when setting prices online."

So, concerns about price discrimination aren't simply theory. Related to that, the RC petition cited its own research:

"... researchers at Northeastern University developed an online tool to “expose how websites personalize prices.” The Price Discrimination Tool (PDT) is a plug-in extension used on the Google Chrome browser that allows any Internet user to perform searches on five websites to see if the user is being charged a different price based on whatever information the companies have about that particular user. The PDT uses a remote computer server that is anonymous –- it has no personal data profile... The PDT then displays the price results from the human shopper’s search and those obtained by the remote anonymous computer server. Our own testing using the PDT revealed that Home Depot continues to offer different prices to human shoppers. For example, a search on Home Depot’s website for “white paint” reveals price discrimination. Of the 24 search results on the first page, Home Depot quoted us higher prices for six tubs of white paint than it quoted the anonymous computer... Our testing also revealed similar price discrimination on Home Depot’s website for light bulbs, toilet paper, toilet paper holders, caulk guns, halogen floor lamps and screw drivers... We also detected price discrimination on Walmart’s website using the PDT. Our testing revealed price discrimination on Walmart’s website for items such as paper towels, highlighters, pens, paint and toilet paper roll holders."

The RC petition listed examples: the Home Depot site quoted $59.87 for a five-gallon bucket of paint to the anonymous user, and $62.96 for the same product to a researcher. Another example: the site quoted $10.26 for a toilet-paper holder to the anonymous user, and $20.89 for the same product to a researcher -- double the price. Prices differences per person ranged from small to huge.

Besides concerns about price discrimination, the RC petition discussed "discriminatory customer service," and the data analytics firms allegedly involved:

"Zeta Global sells customer value scores that will determine, among other things, the quality of customer service a consumer receives from one of Zeta’s corporate clients. Zeta Global “has a database of more than 700 million people, with an average of over 2,500 pieces of data per person,” from which it creates the scores. The scores are based on data “such as the number of times a customer has dialed a call center and whether that person has browsed a competitor’s website or searched certain keywords in the past few days.” Based on that score, Zeta will recommend to its clients, which include wireless carriers, whether to respond to one customer more quickly than to others.

"Kustomer Inc.: Customer-service platform Kustomer Inc. uses customer value scores to enable retailers and other businesses to treat customer service inquiries differently..."

"Opera Solutions: describes itself as a “a global provider of advanced analytics software solutions that address the persistent problem of scaling Big Data analytics.” Opera Solutions generates customer value scores for its clients (including airlines, retailers and banks)..."

The petition cited examples of "discriminatory customer service," which include denied product returns, or customers shunted to less helpful customer service options. Plus, there are accuracy concerns:

"Considering that credit scores – the existence of which has been public since 1970 – are routinely based on credit reports found to contain errors that harm consumers’ financial standing,31 it is highly likely that Secret Surveillance Scores are based on inaccurate or outdated information. Since the score and the erroneous data upon which it relies are secret, there is no way to correct an error,32 assuming the consumer was aware of it."

Regular readers of this blog are already aware of errors in reports from credit reporting agencies. A copy of the RC petition is also available here (Adobe PDF, 3.2 Mbytes).

What immediately becomes clear while reading the petition is that massive amount of personal data collected about consumers to create several proprietary scores. Consumers have no way of knowing nor challenging the accuracy of the scores when they are used against them. So, not only has an industry risen which profits by acquiring and then selling, trading, analyzing, and/or using consumers' data; there is little to no accountability.

In other words, the playing field is heavily tilted for corporations and against consumers.

This is also a reminder why telecommunications companies fought hard for the repeal of broadband privacy and repeal of net neutrality, both of which the U.S. Federal Communications Commission (FCC) provided in 2017 under the leadership of FCC Chairman Ajit Pai, a Trump appointee. Repeal of the former consumer protection allows unrestricted collection of consumers' data, plus new revenue streams to sell the data collected to analytics firms, data brokers, and business partners.

Repeal of the second consumer protection allows internet and cable providers to price content using whatever criteria they choose. You see a rudimentary version of this pricing in a business practice called "zero rating." An example: streaming a movie via a provider's internet service counts against a data cap while the same movie viewed through the same provider's cable subscription does not. Yet, the exact same movie is delivered through the exact same cable (or fiber) internet connection.

Smart readers immediately realize that a possible next step includes zero ratings per-person. Streaming a movie might count against your data cap but not for your neighbor. Who would know? Oversight and consumer protections are needed.

What are your opinions of secret surveillance scores?


Fracking Companies Lost on Trespassing, but a Court Just Gave Them a Different Win

[Editor's note: today's guest post by ProPublica discusses business practices within the fracking industry. It is reprinted with permission.]

By Ken Ward Jr., The Charleston Gazette-Mail

A week after the West Virginia Supreme Court unanimously upheld the property rights of landowners battling one natural gas giant, the same court tossed out a challenge filed by another group of landowners against a different natural gas company.

In the latest case, decided earlier this month, the court upheld a lower court ruling that threw out a collection of lawsuits alleging dust, traffic and noise from gas operations were creating a nuisance for nearby landowners.

Charlie Burd, executive director of the Independent Oil and Gas Association of West Virginia, said the latest ruling lets “Wall Street know capital investment in oil and natural gas is welcome in West Virginia” and increases the possibility of more such investments in drilling and in so-called “downstream” chemical and manufacturing plants related to the gas industry.

In the property rights case last week, the justices set a clear legal standard that natural gas companies can’t trespass on a person’s land, without permission, to tap into gas reserves from neighboring tracts. In Monday’s case, the justices didn’t articulate a new legal precedent.

The mixed messages of the two cases show that “this is new litigation and the theories are evolving,” said Anthony Majestro, a lawyer who represented residents who lost their nuisance action before the Supreme Court.

“As the Marcellus shale drilling has expanded, there have been conflicts between surface owners and the companies that are drilling,” Majestro said. “Absent some legal requirement to require the industry to be good neighbors, I’m afraid we’ll continue to have these situations.”

Majestro’s clients were a group of residents in the Cherry Camp area of Harrison County, in north-central West Virginia. They wanted Antero Resources, the state’s largest gas company, to compensate them for unbearable traffic, “constant dust” that hangs in the air and settles on homes and vehicles, disruptive heavy equipment noise and bright lights that shine into their homes day and night.

The case focused on two dozen wells and a compressor station on six pads. The plaintiffs argued that their lives were being interfered with by Antero’s production of gas from beneath their property, even though the wells were on neighboring land, not on their own properties.

Across West Virginia’s gas-producing region, many residents own the surface of the land where they live, but don’t hold the minerals located beneath. Often, rights to the natural gas were signed over decades ago, long before drilling and gas production of the size and scope now conducted was even dreamed of.

The two court cases were featured last year as part of a series of stories by the Gazette-Mail and ProPublica that explored the impacts of the growth of natural gas on West Virginia communities.

In some ways, the Antero case was more complex than the earlier matter, in which the state court ruled clearly for Doddridge County residents Beth Crowder and David Wentz in their dispute with EQT Corp., West Virginia’s second-largest gas producer.

EQT had built a well pad and pipelines on Crowder and Wentz’s property to reach natural gas not located beneath their farm, but under neighboring tracts, including some that were thousands of feet away. Modern natural gas drilling uses horizontal drilling to use smaller numbers of larger wells to reach much greater amounts of gas.

Justice John Hutchison wrote the court’s 5-0 decision against EQT, including a new point of law that sets a precedent that calls what the company did trespassing and forbids it from being done in the future.

The ruling in the Antero case was a split, 3-2 decision, and the opinion by Justice Evan Jenkins included no new points of law setting precedent for future cases.

Instead, his opinion was based on the view that Antero had gas leases that created a right for it to do whatever was “reasonably necessary” to get at its mineral holdings.

Antero spokeswoman Stephanie Iaquinta said, “We appreciate the court’s thorough review of this important matter and its decision.”

Chief Justice Beth Walker wrote a concurring opinion, pointing out that the majority decision wasn’t necessarily getting to the heart of the matter: whether the kinds of gas industry impacts complained about by the Harrison County residents constitute a legal nuisance.

And Justice Margaret Workman wrote a strongly worded dissent, saying that the court had not only ducked the central legal issue in the case, but that it had usurped the authority of a jury to decide if the facts of how Antero operates should be deemed to be “reasonably necessary” to produce natural gas.

“For a century, the tenor of our mineral easement case law, in each temporal and technological ideation, has been that there must be a balance of the rights of surface owners and mineral owners,” Workman wrote. “Rather than making any attempt to establish legal guidance for that goal in this new context, the majority endorses a gross inequity that effectively gives this new industrialization carte blanche to operate without any regard for the rights of those who live on the land.”

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

 


Walmart To Pay $282 Million To Settle Bribery Charges By Regulators In The United States

Walmart logo The U.S. Securities And Exchange Commission (SEC) announced on June 20th a settlement agreement to resolve charges that Walmart violated:

"... the Foreign Corrupt Practices Act (FCPA) by failing to operate a sufficient anti-corruption compliance program for more than a decade as the retailer experienced rapid international growth... According to the SEC’s order, Walmart failed to sufficiently investigate or mitigate certain anti-corruption risks and allowed subsidiaries in Brazil, China, India, and Mexico to employ third-party intermediaries who made payments to foreign government officials without reasonable assurances that they complied with the FCPA. The SEC’s order details several instances when Walmart planned to implement proper compliance and training only to put those plans on hold or otherwise allow deficient internal accounting controls to persist even in the face of red flags and corruption allegations."

Walmart agreed to pay more than $144 million to settle the SEC’s charges and about $138 million to resolve parallel criminal charges by the U.S. Department of Justice (DOJ), for a combined total of more than $282 million. The settlements cover activities by the retailer's foreign subsidiaries in Brazil, China, India, and Mexico.

United States Department of Justice logo The DOJ announcement on June 20th stated:

"According to Walmart’s admissions, from 2000 until 2011, certain Walmart personnel responsible for implementing and maintaining the company’s internal accounting controls related to anti-corruption were aware of certain failures involving these controls, including relating to potentially improper payments to government officials in certain Walmart foreign subsidiaries, but nevertheless failed to implement sufficient controls that, among other things, would have ensured: (a) that sufficient anti-corruption-related due diligence was conducted on all third-party intermediaries (TPIs) who interacted with foreign officials; (b) that sufficient anti-corruption-related internal accounting controls concerning payments to TPIs existed; (c) that proof was required that TPIs had performed services before Walmart paid them; (d) that TPIs had written contracts that included anti-corruption clauses; (e) that donations ostensibly made to foreign government agencies were not converted to personal use by foreign officials; and (f) that policies covering gifts, travel and entertainment sufficiently addressed giving things of value to foreign officials and were implemented. Even though senior Walmart personnel responsible for implementing and maintaining the company’s internal accounting controls related to anti-corruption knew of these issues, Walmart did not begin to change its internal accounting controls related to anti-corruption to comply with U.S. criminal laws until 2011... In a number of instances, insufficiencies in Walmart’s anti-corruption-related internal accounting controls in these foreign subsidiaries were reported to senior Walmart employees and executives. The internal control failures allowed the foreign subsidiaries in Mexico, India, Brazil and China to open stores faster than they would have with sufficient internal accounting controls related to anti-corruption. Consequently, Walmart earned additional profits through these subsidiaries by opening some of its stores faster..."

So, to fast-track store openings company executives allegedly made secret payments to "third-party individuals" who passed the money on to specific government officials who approve permits. CBS News reported:

"... the payments to the intermediary were recorded as payments to a construction company, even though there were numerous "red flags" to indicate that the intermediary was actually a government official... The federal agreement does not identify the intermediary, but describes her in some detail: It says she became known inside Walmart Brazil as a "sorceress" or "genie" for her "ability to acquire permits quickly by 'sort(ing) things out like magic.' " The plea agreement also includes a provision barring the Brazilian subsidiary from making public claims or issuing press releases contradicting the facts outlined under the plea agreement."

United States Securities And Exchange Commission logo Walmart is not alone regarding FCPA violations. According to the SEC, several companies agreed to settlement agreements and payments during 2019:

Readers of this blog may remember, Fresenius paid $3.5 million last year to resolve HIPAA violations from 5 small data breaches during 2012. And, last week a whistleblower report discussed Cognizant's content moderation work as a Facebook subcontractor.

Notable companies with SEC settlement agreements and payments during 2018:


Medical Collections Vendor Files For Bankruptcy Protection

Things have become complicated regarding American Medical Collection Agency (AMCA), a collections firm used by several medical testing firms. After breach announcements by Quest Diagnostics and LabCorp earlier this month, more healthcare firms announced breach notices.

So, more than 20 million persons have been affected. ZD Net reported the patient totals by healthcare firm:

"Quest Diagnostics (11.9 million patients), LabCorp (7.7 million patients), BioReference Laboratories (Opko Health subsidiary, 422,600 patients), Carecentrix (500,000 patients), and Sunrise Laboratories (undisclosed number of patients)."

Now, we learn that AMCA has filed for bankruptcy protection:

"According to the Chapter 11 declaration (.PDF), filed with the court for the Southern District of New York, AMCA first became aware of a potential security incident when a disproportionate number of credit cards that interacted with the company's web portal were linked to fraudulent transactions... Cybersecurity forensics bills of roughly $400,000, IT support costs, severe restrictions that were put in place to protect AMCA's network from further intrusion, looming court cases, and the loss of valuable business partners have all taken their toll."

A "Chapter 11" bankruptcy means a reorganization, compared to a total liquidation under "Chapter 7." So, AMCA executives expect their company to survive.

ZD Net also reported that AMCA has paid more than:

"... $3.8 million to inform over seven million people who have potentially been impacted via mail. This figure alone is more than the company had to hand, forcing AMCA to take out a loan from the CEO and founder, Russell Fuchs, just to meet this expense. By filing for bankruptcy protection, the business will continue on as usual as AMCA seeks to pay off its creditors."

The costs highlight the consequences when companies fail to protect consumers' sensitive personal and payment data. The bankruptcy filing begs the next question: continue operating how effectively? Reportedly, AMCA has already cut its workforce from 155 to 25 employees. Usually under bankruptcy protection, a court decides which creditors get paid and whether they are paid in full -- including employees.

This scenario makes one wonder if AMCA can afford the ongoing expenses and resources necessary to harden its computer systems against intrusions, pay its employees, fully support data breach victims, and pay any post-breach fines. If AMCA can't pay its employees, it is probably already dead.


Leading Manufacturer Reverses Its Position on Paperless Voting Machines

A leading manufacturer of electronic voting machines has reversed its position on election security. Tom Burt, the CEO of Election Systems & Software (ES&S), said his company will no longer sell paperless voting machines. Mr Burt wrote in Roll Call:

"... we must have physical paper records of votes. Our company, Election Systems & Software, the nation’s leading elections equipment provider, recently decided it will no longer sell paperless voting machines as the primary voting device in a jurisdiction. That’s because it is difficult to perform a meaningful audit without a paper record of each voter’s selections. Mandating the use of a physical paper record sets the stage for all jurisdictions to perform statistically valid post-election audits."

A 2017 study by researchers found 11 states where the majority of voters use paperless voting machines that store votes electronically -- without printed ballots or other paper-based backups to double-check the balloting. A report in March, 2018 by the Brennan Center For Justice found little progress since 2016 to replace old, vulnerable voting machines in the United States.

In his comments, Burt called upon Congress to act to improve the testing of voting machines. Burt also cited the challenges. First:

"There are about 10,000 jurisdictions in America that manage nearly 117,000 polling locations and utilize more than 560,000 voting machines (manufactured by multiple suppliers) on Election Day. That’s what you call a highly distributed and differentiated infrastructure..."

Second, jurisdictions have varying financial resources. Besides testing, it will cost money to replace obsolete and paperless voting machines. TechCrunch provided important context to Burt's comments:

"Senator Ron Wyden introduced a bill a year ago that would mandate voter-verified paper ballots for all election machines... Burt’s remarks are a sharp turnaround from the company’s position just a year ago, in which the election systems maker drew ire from the security community for denouncing vulnerabilities found by hackers at the annual Defcon conference. Security researchers at the conference’s Voting Village found a security flaw in an old but widely used voting machine in dozens of states. Their findings prompted a response by senior lawmakers on the Senate Intelligence Committee..."

So, the change in position by ES&S is a small start (and arguably late). What matters more will be action by ES&S and other voting-machine makers; and action by Congress.

Since a democracy relies upon elections, voting machine upgrades and testing could be considered an infrastructure issue. Both Congress and voting machine makers need to do their jobs. What are your opinions?


Court to Big Fracking Company: Trespassing Still Exists — Even For You

[Editor's note: today's guest post by ProPublica discusses business practices within the fracking industry. It is reprinted with permission. Readers may also be interested in this blog post from February.]

By Kate Mishkin and Ken Ward Jr., The Charleston Gazette-Mail

Seven years ago this month, Beth Crowder and David Wentz told natural gas giant EQT Corp. that it did not have permission to come onto their West Virginia farm to drill for the natural gas beneath neighboring properties.

EQT Corporation logo EQT had a lease that entitled the company to the gas directly beneath their farm, but it also wanted to use a new, 20-acre well pad to gather gas from 3,000 acres of adjacent or nearby leases. The company ignored their warnings. It built roads and drilled a well, and it put in horizontal pipes stretching for miles in all directions.

Crowder and Wentz sued — and they’ve been fighting EQT in court ever since. On Wednesday, the West Virginia Supreme Court ended the matter with a surprisingly straightforward and unanimous conclusion: Going onto someone else’s land without their permission is trespassing.

Gas and other mineral companies must obtain permission from surface owners in order to use their land to reach reserves under other properties, Justice John Hutchison wrote for the court. "The right must be expressly obtained, addressed, or reserved in the parties’ deeds, leases, or other writings," he wrote.

Attorney Dave McMahon, who represented Crowder and Wentz, broke the news to them by phone. "The short answer is, we won. And we won big time," he said.

On the other end of the line in Doddridge County, Crowder and Wentz shouted and laughed. "I think I’m feeling kind of numb," Crowder said. "I’ve been used to being in limbo forever."

Kristina Whiteaker, another lawyer for Crowder and Wentz, told them, "You guys really made some good law for the whole state."

EQT said in a statement issued Thursday afternoon that the company was "disappointed in the court’s ruling” but didn’t “expect the decision to have a significant impact on our operations in West Virginia."

"We intend to maintain cooperative and mutually beneficial relationships with our customers, our partners, and residents in the regions where we do business," EQT said.

The West Virginia Oil and Natural Gas Association, an industry trade association, said it is analyzing the ruling to determine how it may impact its member companies.

In a statement, Charlie Burd, the executive director of the Independent Oil and Gas Association of West Virginia, said the industry group would have preferred a ruling that encouraged horizontal drilling, but planned to comply with it. “IOGAWV members like to have good relationships with property owners,” Burd said.

Crowder and Wentz’s saga was chronicled last year by the Gazette-Mail and ProPublica, in an investigation that detailed how the natural gas industry had gained an upper hand on the state’s residents.

The 22-page court ruling Wednesday represents a rare victory for residents in a state where economics and politics are increasingly controlled by the natural gas business after decades of domination by the coal industry. Making it more gratifying for Crowder and Wentz, the court that ruled in their favor has been under the microscope because of connections to the gas industry.

Much of the land in mineral-producing parts of West Virginia has split ownership. Someone might own the surface land, while someone else owns the coal, oil or gas underneath. Gas is generally produced under leases, in which gas owners or their ancestors granted a production company the right to drill. But often, the leases are so old the current owners didn’t sign them, and certainly the advanced types of gas-production techniques used today were not anticipated.

Compounding the matter, gas producers now use a process called hydraulic fracturing, which pumps huge amounts of water and chemicals underground to loosen up gas reserves, and drill extensive horizontal holes to suck in gas from much wider areas. They bring in fleets of heavy trucks and install tanks and pipelines. The entire process has brought an influx of vibrations, noise and traffic. Though bills have been introduced year after year that are designed to mitigate the impacts on residents, West Virginia lawmakers have repeatedly refused to act.

Crowder and Wentz moved to their 300-acre farm on Brush Run in 1975, part of the “back-to-the-land” movement, seeking to live simply and be left alone. They divorced in 2005 and split the land, but both still live there on separate tracts.

There had been small gas wells on the property for years, but they were nothing like the noise, traffic and disturbance that EQT brought with it when it drilled nine new wells that would take in gas through nearly 10 miles of underground bores.

In February 2016, a local judge ruled that EQT had trespassed, and in September 2017, a jury awarded Crowder and Wentz about $200,000 in damages. EQT appealed.

The case is one of two major gas property-rights and drilling cases this term in which the industry is pressing for rulings that support its current method and scope of operations.

In the other case heard before the West Virginia Supreme Court in January, Harrison County residents said Antero Resources’ operations were creating a nuisance. A ruling on that hasn’t been issued yet.

At the heart of these cases is the fact that, economically and technologically, gas production today is all about what industry officials call “laterals.” These horizontal holes are drilled out in all directions from a vertical well. They can pull in natural gas from several miles away.

Industry officials say horizontal drilling allows them to minimize environmental impacts by building one well pad for multiple wells. But in doing so, it has magnified the impact for those residents who happen to live near — or on — the tracts chosen for those pads.

The Independent Oil and Gas Association had warned in a court brief that a ruling against EQT in the case would have “significant negative implications upon future and existing natural gas development in West Virginia.” EQT lawyers made similar warnings at trial.

Joshua Fershee, a West Virginia University law professor who has followed the case, said that the court’s decision won’t stop gas drilling. It will, however, make it more expensive for companies to secure the needed rights.

In concluding the court’s opinion, Hutchison said the justices didn’t aim to “challenge or constrain the drilling methods chosen by the oil and gas industry.”

“The industry has shown that horizontal drilling and hydraulic fracturing techniques are evolving at a rapid pace and are an economical and efficient tool for producing hydrocarbons,” Hutchison wrote. “Our opinion only affirms a classical rule of property jurisprudence: it is trespassing to go on someone’s land without the right to do so.”

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.