1,145 posts categorized "Corporate Responsibility" Feed

ABA Updates Guidance For Attorneys' Data Security And Data Breach Obligations. What Their Clients Can Expect

To provide the best representation, attorneys often process and archive sensitive information about their clients. Consumers hire attorneys to complete a variety of transactions: buy (or sell) a home, start (or operate) a business, file a complaint against a company, insurer, or website for unsatisfactory service, file a complaint against a former employer, and more. What are attorneys' obligations regarding data security to protect their clients' sensitive information, intellectual property, and proprietary business methods?

What can consumers expect when the attorney or law firm they've hired experienced a data breach? Yes, law firms experience data breaches. The National Law Review reported last year:

"2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions... In March, the FBI issued a warning that a cybercrime insider-trading scheme was targeting international law firms to gain non-public information to be used for financial gain. In April, perhaps the largest volume data breach of all time involved law firm Mossack Fonesca in Panama... Finally, Chicago law firm, Johnson & Bell Ltd., was in the news in December when a proposed class action accusing them of failing to protect client data was unsealed."

So, what can clients expect regarding data security and data breaches? A post in the Lexology site reported:

"Lawyers don’t get a free pass when it comes to data security... In a significant ethics opinion issued last month, Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility provides a detailed roadmap to a lawyer’s obligations to current and former clients when they learn that they – or their firm – have been the subject of a data breach... a lawyer’s compliance with state or federal data security laws does "not necessarily achieve compliance with ethics obligations," and identifies six ABA Model Rules that might be implicated in the breach of client information."

Readers of this blog are familiar with the common definition of a data breach: unauthorized persons have accessed, stolen, altered, and/or destroyed information they shouldn't have. Attorneys have an obligation to use technology competently. The post by Patterson Belknap Webb & Tyler LLP also stated:

"... lawyers have an obligation to take “reasonable steps” to monitor for data breaches... When a breach is detected, a lawyer must act “reasonably and promptly” to stop the breach and mitigate damages resulting from the breach... A lawyer must make reasonable efforts to assess whether any electronic files were, in fact, accessed and, if so, identify them. This requires a post-breach investigation... Lawyers must then provide notice to their affected clients of the breach..."

I read the ABA Formal Opinion 483. (A copy of the opinion is also available here.) A follow-up post this week by the National Law Review listed 10 best practices to stop cyberattacks and breaches. Since many law firms outsource some back-office functions, this might be the most important best-practice item:

"4. Evaluate Your Vendors’ Security: Ask to see your vendor’s security certificate. Review the vendor’s security system as you would your own, making sure they exercise the same or stronger security systems than your own law firm..."


More Consequences From The Phony-Accounts Scandal At Wells Fargo Bank

Wells Fargo logo Consequences continue after the bank's phony-accounts scandal. Last week, Well Fargo announced several changes in senior management:

"Chief Administrative Officer Hope Hardison and Chief Auditor David Julian have begun leaves of absence from Wells Fargo and will no longer be members of the company’s Operating Committee. These leaves relate to previously disclosed ongoing reviews by regulatory agencies in connection with historical retail banking sales practices. These leaves of absence are unrelated to the company’s reported financial results..."

An investigation in 2017 found a new total of 3.5 million phony consumer and small business accounts set up by employees trying to game an internal sales compensation system. The phony accounts, many of which incurred fees and charges, had been set up without customers' knowledge nor approval. In a settlement agreement in 2016 with the Consumer Financial Protection Bureau (CFPB), Wells Fargo paid a $185 million fine last year for alleged unlawful sales practices with 1.5 million phony accounts known at that time. In 2016, about 5,300 mostly lower-level employees had been fired as a result of the scandal.

The latest announcement listed more executive changes:

"David Galloreese continues as head of Human Resources and will report directly to CEO and President Tim Sloan and join the Operating Committee. Cara Peck, who heads the Culture and Change Management teams, will report directly to Galloreese.

Jim Rowe continues as head of Stakeholder Relations and will report directly to Sloan. Stakeholder Relations will expand to include Corporate Philanthropy and Community Relations, headed by Jon Campbell... Kimberly Bordner, currently executive audit director, will become the company’s acting Chief Auditor..."

The bank is conducting an executive search for a new Chief Auditor.

Executives at the bank have plenty to fix. In April, federal regulators assessed a $1 billion fine against the bank for violations of the Consumer Financial Protection Act (CFPA) in the way it administered mandatory insurance for auto loans. In August, reports surfaced that the bank had accidentally foreclosed on 400 homeowners it shouldn't have due to a software bug.

In June 2017, U.S. Senator Elizabeth Warren (D-Massachusetts) called for the firing of all 12 board members at Wells Fargo bank for failing to adequately protect account holders. Let's hope these latest senior executive changes bring about needed changes.


Yahoo Agrees To $50 Million Payment To Settle 2013 Breach

Fortune magazine reported that Yahoo:

"... has agreed to pay a $50 million settlement to roughly 200 million people affected by the email service’s 2013 data breach... Up to 3 billion accounts had their emails and other personal information stolen in the hacking, but the settlement filed late Monday only applies to an estimated 1 billion accounts, held by 200 million people in the United States and Israel between 2012 and 2016... A hearing to approve this proposed end to the two-year lawsuit will be held in California on Nov. 29. If approved, the affected account holders will be emailed a notice."


Billions Of Data Points About Consumers Exposed During Data Breach At Data Aggregator

It's not only social media companies and credit reporting agencies that experience data breaches where massive amounts of sensitive, personal information about millions of consumers are exposed and/or stolen. Data aggregators and analytics firms also have data breaches. Wired Magazine reported:

"The sales intelligence firm Apollo sent a notice to its customers disclosing a data breach it suffered over the summer... Apollo is a data aggregator and analytics service aimed at helping sales teams know who to contact, when, and with what message to make the most deals... Apollo also claims in its marketing materials to have 200 million contacts and information from over 10 million companies in its vast reservoir of data. That's apparently not just spin. Night Lion Security founder Vinny Troia, who routinely scans the internet for unprotected, freely accessible databases, discovered Apollo's trove containing 212 million contact listings as well as nine billion data points related to companies and organizations. All of which was readily available online, for anyone to access. Troia disclosed the exposure to the company in mid-August."

This is especially problematic for several reasons. First, data aggregators like Apollo (and social media companies and credit reporting agencies) are high-value targets: plenty of data is stored in one location. That's both convenient and risky. It also places a premium upon data security.

When data like this is exposed or stolen, it makes it easy for fraudsters, scammers, and spammers to create sophisticated and more effective phishing (and vishing) attacks to trick consumers and employees into revealing sensitive payment and financial information.

Second, data breaches like this make it easier for governments' intelligence agencies to compile data about persons and targets. Third, Apollo's database reportedly also contained sensitive data about clients. That's proprietary information. Wired explained:

"Some client-imported data was also accessed without authorization... Customers access Apollo's data and predictive features through a main dashboard. They also have the option to connect other data tools they might use, for example authorizing their Salesforce accounts to port data into Apollo..."

Salesforce, a customer relationship management (CRM) platform, uses cloud services and other online technologies to help its clients, companies with sales representatives, to manage their sales, service, and marketing activities. This breach also suggests that some employee training is needed about what to, and what not to upload, to outsourcing vendor sites. What do you think?


Aetna To Pay More Than $17 Million To Resolve 2 Privacy Breaches

Aetna logo Aetna inked settlement agreements with several states, including New Jersey, to resolve disclosures of sensitive patient information. According to an announcement by the Attorney General for New Jersey, the settlement agreements resolve:

"... a multi-state investigation focused on two separate privacy breaches by Aetna that occurred in 2017 – one involving a mailing that potentially revealed information about addressees’ HIV/AIDS status, the other involving a mailing that potentially revealed individuals’ involvement in a study of patients with atrial fibrillation (or AFib)..."

Connecticut, Washington, and the District of Columbia joined with New Jersey for both the  investigation and settlement agreements. The multi-state investigation found:

"... that Aetna inadvertently disclosed HIV/AIDS-related information about thousands of individuals across the U.S. – including approximately 647 New Jersey residents – through a third-party mailing on July 28, 2017. The envelopes used in the mailing had an over-sized, transparent glassine address window, which revealed not only the recipients’ names and addresses, but also text that included the words “HIV Medications"... The second breach occurred in September 2017 and involved a mailing sent to 1,600 individuals concerning a study of patients with AFib. The envelopes for the mailing included the name and logo for the study – IMPACT AFib – which could have been interpreted as indicating that the addressee had an AFib diagnosis... Aetna not only violated the federal Health Insurance Portability and Accountability Act (HIPAA), but also state laws pertaining to the protected health information of individuals in general, and of persons with AIDS or HIV infection in particular..."

A class-action lawsuit filed on behalf of affected HIV/AIDS patients has been settled, pending approval from a federal court, which requires Aetna to pay about $17 million to resolve allegations. Terms of the multi-state settlement agreement require Aetna to pay a $365,211.59 civil penalty to New Jersey, and:

  • Implement policy, processes, and employee training reforms to both better protect persons' protected health information, and ensure mailings maintain persons' privacy; and
  • Hire an independent consultant to evaluate and report on its privacy protection practices, and to monitor its compliance with the terms of the settlement agreements.

CVS Health logo In December of last year, CVS Health and Aetna announced a merger agreement where CVS Health acquired Aetna for about $69 billion. Last week, CVS Health announced an expansion of its board of directors to include the addition of three directors from its Aetna unit. At press time, neither company's website mentioned the multi-state settlement agreement.


Facebook Lowers Its Number of Breach Victims And Explains How Hackers Broke In And Stole Data

Facebook logo In an October 12th Security Update, Facebook lowered the number of users affected during its latest data breach, and explained how hackers broke into its systems and stole users' information during the data breach it first announced on September 28th. During the data breach:

"... the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.

The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information."

Facebook promises to notify the 30 million breach victims. While it lowered the number of breach victims from 50 to 30 million, this still isn't good. 30 million is still a lot of users. And, hackers stolen the juiciest data elements -- contact and profile information -- about breach victims, enabling them to conduct more fraud against victims, their family, friends, and coworkers. Plus, note the phrase: "the attackers already controlled a set of accounts." This suggest the hackers created bogus Facebook accounts, had the sign-in credentials (e.g., username, password) of valid accounts, or both. Not good.

Moreover, there is probably more bad news coming, as other affected companies assess the (collateral) damage. Experts said that Facebook's latest breach may be worse since many companies participate in the Facebook Connect program. Not good.

The timeline of the data breach and intrusion detection are troubling. Facebook admitted that the vulnerability hackers exploited existed from July, 2017 to September, 2018 when it noticed, "an unusual spike of activity that began on September 14, 2018." While it is good that Facebook's tech team notice the intrusion, the bad news is the long open window the vulnerability existed provided plenty of time for hackers to plot and do damage.  That the hackers used automated tools suggests that the hackers knew about the vulnerabilities for a long time... long enough to decide what to do, and then build automated tools to steal users' information. Where was Facebook's quality assurance (QA) testing department during all of this? Not good.

This latest data breach included a tiny bit of good news:

"This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts."

Meanwhile, Facebook runs TV advertisements for its new Portal, a voice-activated device with a video screen, always-listening microphone, and camera for video chats within homes.  BuzzFeed reported:

"Portal’s debut comes at a time when Facebook is struggling to reassure the public that it’s capable of protecting users’ privacy... In promoting Portal, Facebook is emphasizing the devices’ security... The company asserts that it doesn't listen or view the content of Portal calls, and the Smart Camera’s artificial intelligence–powered tracking doesn’t run on Facebook servers or use facial recognition. Audio snippets of voice commands can also be deleted from your Facebook Activity Log... because Portal relies on Facebook’s Messenger service, those calls are still under the purview of Facebook’s data privacy policy. The company collects information about “the people, Pages, accounts, hashtags and groups you are connected to and how you interact with them across our Products, such as people you communicate with the most or groups you are part of.” This means that Facebook will know who you’re talking to on Portal and for how long."

Buzzfeed also listed several comments by users. Some are skeptical of privacy promises:

Tweet #1 about Facebook Portal. Click to view larger version

Here's another comment:

Who is going to buy Portal while breach investigation results from this latest data breach, and from its Cambridge Analytica breach, are still murky? What other systems and software vulnerabilities exist? Would you buy Portal?


Why The Recent Facebook Data Breach Is Probably Much Worse Than You First Thought

Facebook logo The recent data breach at Facebook has indications that it may be much worse than first thought. It's not the fact that a known 50 million users were affected, and 40 million more may also be affected. There's more. The New York Times reported on Tuesday:

"... the impact could be significantly bigger since those stolen credentials could have been used to gain access to so many other sites. Companies that allow customers to log in with Facebook Connect are scrambling to figure out whether their own user accounts have been compromised."

Facebook Connect, an online tool launched in 2008, allows users to sign into other apps and websites using their Facebook credentials (e.g., username, password). many small, medium, and large businesses joined the Facebook Connect program, which was using:

"... a simple proposition: Connect to our platform, and we’ll make it faster and easier for people to use your apps... The tool was adopted by thousands of other firms, from mom-and-pop publishing companies to high-profile tech outfits like Airbnb and Uber."

Initially, Facebook Connect made online life easier and more convenient. Users could sign up for new apps and sites without having to create and remember new sign-in credentials:

But in July 2017, that measure of security fell short. By exploiting three software bugs, attackers forged “access tokens,” digital keys used to gain entry to a user’s account. From there, the hackers were able to do anything users could do on their own Facebook accounts, including logging in to third-party apps."

On Tuesday, Facebook released a "Login Update," which said in part:

"We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.

Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens. However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out."

So, there are more news and updates to come about this. According to the New York Times, some companies' experiences so far:

"Tinder, the dating app, has found no evidence that accounts have been breached, based on the "limited information Facebook has provided," Justine Sacco, a spokeswoman for Tinder and its parent company, the Match Group, said in a statement... The security team at Uber, the ride-hailing giant, is logging some users out of their accounts to be cautious, said Melanie Ensign, a spokeswoman for Uber. It is asking them to log back in — a preventive measure that would invalidate older, stolen access tokens."


FTC: How You Should Handle Robocalls. 4 Companies Settle Regarding Privacy Shield Claims

First, it seems that the number of robocalls has increased during the past two years. Some automated calls are English. Some are in other languages. All try to trick consumers into sending money or disclosing sensitive financial and payment information. Advice from the U.S. Federal Trade Commission (FTC):

Second, the FTC announced a settlement agreement with four companies:

"In separate complaints, the FTC alleges that IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc. falsely claimed to be certified under the EU-U.S. Privacy Shield, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law... The Department of Commerce administers the Privacy Shield framework, while the FTC enforces the promises companies make when joining the framework."

According to the lawsuits, IDmission, a cloud-based services firm, applied in 2017 for Privacy Shield certification with the U.S. Department of Commerce but never completed the necessary steps to be certified under the program. The other three companies each obtained Privacy Shield certification in 2016 but allowed their certifications to lapse. VenPath is a data analytics firm. SmartStart offers employment and background screening services. mResource provides talent management and recruitment services.

Terms of the settlement agreements prohibit all four companies from misrepresenting their participation in any privacy or data security program sponsored by the government. Also:

"... VenPath and SmartStart must also continue to apply the Privacy Shield protections to personal information they collected while participating in the program, protect it by another means authorized by the Privacy Shield framework, or return or delete the information within 10 days of the order."


Facebook Data Breach Affected 90 Million Users. Users Claim Facebook Blocked Posts About the Breach

On Friday, Facebook announced a data breach which affected about 50 million users of the social networking service. Facebook engineers discovered the hack on September 25th. The Facebook announcement explained:

"... that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app... This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."

Facebook Security Update: image for mobile users. Click to view larger version Many mobile users will see the message in the image displayed on the right. Facebook said it has fixed the vulnerability, notified law enforcement, turned off the "View As" feature until the breach investigation is finished, and has already reset the access tokens of about 90 million users.

Why the higher number of 90 million and not 50 million? According to the announcement:

"... we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened."

So, 90 million users affected and 50 million known for sure. What to make of this? Wait for findings in the completed breach investigation. Until then, we won't know exactly how attackers broke in, what they stole, and the true number of affected users.

What else to make of this? Facebook's announcement skillfully avoided any direct mentions of exactly when the attack started. The announcement stated that the vulnerability was related to a July 2017 change to the video uploading feature. So, the attack could have started soon after that. Facebook didn't say, and it may not know. Hopefully, the final breach investigation report will clarify things.

And, there is more disturbing news.

Some users have claimed that Facebook blocked them from posting messages about the data breach. TechCrunch reported:

"Some users are reporting that they are unable to post [the] story about a security breach affecting 50 million Facebook users. The issue appears to only affect particular stories from certain outlets, at this time one story from The Guardian and one from the Associated Press, both reputable press outlets... some users, including members of the staff here at TechCrunch who were able to replicate the bug, were met with the following error message which prevented them from sharing the story."

Error message displayed to some users trying to post about Facebook data breach. Click to view larger version

Well, we now know that -- for better or for worse -- Facebook has an automated tool to identify spam content in real-time. And, this tool can easily misidentify content as spam, which isn't spam. Not good.

Reportedly, this error message problem has been fixed. Regardless, it should never have happened. The data breach is big news. Clearly, many people want to read and post about it. Popularity does not indicate spam. And Facebook owes users an explanation about its automated tool.

Did Facebook notify you directly of its data breach? Did you get this spam error message? How concerned are you? Please share your experience and opinions below.


Uber To Pay $148 Million To Settle Lawsuits And Coverup From Its 2016 Data Breach

Uber logo California-based Uber Technologies, Inc. has agreed to pay $148 million to settle lawsuits by several states' attorneys general regarding the ride-sharing service's massive data breach in 2016 where hackers stole information about 57 million Uber customers and drivers worldwide, including 600,000 U.S. driver's license numbers. The breach problems were compounded by allegations that Uber paid the hackers $100,000 for their silence, and by the company's failure to notify both state agencies and affected consumers about the breach.

Josh Shapiro, the Attorney General (AG) for the State of Pennsylvania, announced on the Wednesday the settlement agreement including a coalition of 51 state AGs:

"In November 2016, Uber learned that hackers had gained access to some personal information Uber maintains about its drivers, including drivers’ license information for about 600,000 drivers nationwide. Instead of reporting the breach to law enforcement and impacted individuals, Uber tracked down the hackers and obtained assurances that the hackers deleted the information – and made payments to ensure their silence... Since some of the compromised information – specifically driver’s license numbers – is considered personally identifiable information (PII), Uber was required to notify impacted individuals under the Pennsylvania Breach of Personal Information Notification Act. However, Uber failed to report the breach until November 2017."

13,500 Uber drivers in Pennsylvania were affected by the breach. Pennsylvania's share of the total payment is $5.7 million. Each Uber driver in Pennsylvania will receive $100.

48 states have data breach notification laws requiring various levels of notifications to both state officials and affected consumers, who need notice in order to take action to protect themselves and their sensitive personal and payment information.

Massachusetts' share of the total payment is $7.1 million, of which $6.5 million will be distributed to the Commonwealth’s General fund and $600,000 will be used to assist consumers and businesses. Massachusetts AG Maura Healey said:

"Uber failed to immediately report this data breach and tried to pay hush money to hackers. This settlement should be a lesson to other businesses that consumers have a right to know when their personal information has been compromised."

California's share of the total payment is $26 million. California AG  Xavier Becerra said:

"Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data."

San Francisco District Attorney George Gascon said:

"We wholeheartedly support innovative business models, but new ways of engaging in business cannot come at the expense of public safety or consumer privacy. This settlement today demonstrates what happens when all of us in law enforcement work together. My office will continue to collaborate closely with the Attorney General to protect consumers both in San Francisco, and the rest of California."

Terms of the settlement agreement require Uber and its executives to:

"1. Implement and maintain robust data security practices.
2. Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
3. Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded.
4. Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors.
5. Report any data security incidents to states on a quarterly basis for two years.
6. Maintain a Corporate Integrity Program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training".

Uber and its executives have a long history of sketchy behavior including the 'Greyball' worldwide program by executives to thwart code enforcement inspections by governments, dozens of employees fired or investigated for sexual harassment, a lawsuit describing how the company's mobile app allegedly scammed both riders and drivers, and privacy abuses with the 'God View' tool.

This breach settlement is another reminder that Uber and its executives deserve close monitoring and supervision.


Amid Accusations of Age Bias, IBM Winds Down a Push for Millennial Workers

[Editor's note: today's post, by reporters at ProPublica, updates a prior post about corporate hiring. A data breach in 2007 at IBM resulted in the creation of this blog. Today's post is reprinted with permission.]

By Peter Gosselin and Ariana Tobin, ProPublica

IBM logo Faced with a mounting pile of lawsuits accusing it of age discrimination — the latest, a class action, was filed this week in federal district court in New York — tech giant IBM appears to be winding down its Millennial Corps, an internal network of young employees that’s been cited in several legal complaints as evidence of the company’s bias toward younger workers.

ProPublica reported in March that IBM, which had annual revenue of $79 billion in 2017, had ousted an estimated 20,000 U.S. employees ages 40 or older in the past five years, in some instances using money saved from the departures to hire young replacements to, in the words of an internal company document, “correct seniority mix.”

IBM deployed several strategies to attract younger workers, establishing a digital platform catering to millennials, a blog called “The Millennial Experience,” a Twitter account, @IBMillennial, as well as creating the Millennial Corps, whose members company executives pledged to consult about major business moves. The Corps was featured in a 2016 FastCompany piece titled “These Millennials Have Become the Top Decision Makers at IBM.”

But company sources said this week that the internal millennial platform has had almost no entries in recent months and the only posting on the blog dates from at least a year ago. There have been no recent tweets from @IBMillennial. At least one of the Millennial Corps founders quoted in the FastCompany story about the network has left the company, as have several of those listed as Millennial Corps “ambassadors” on the internal platform.

An IBM spokesman did not respond to questions on the status of the Millennial Corps.

The class action was filed Monday on behalf of three former IBM employees who say the company discriminated against them based on their age by ousting them from their jobs and refusing to hire them for other slots. The complaint cites ProPublica’s article extensively in accusing IBM of “systematically laying off older employees in order to build a younger workforce.” The suit was filed by Boston lawyer Shannon Liss-Riordan, who has represented workers against such tech behemoths as Amazon, Google and Uber.

IBM responded to the filing by saying it has done nothing wrong in retooling its workforce to meet the challenges of an evolving tech landscape.

“Changes in our workforce are about skills, not age,” company spokesman Edward Barbini said in a statement. “In fact, since 2010 there is no difference in the age of our U.S. workforce.”

This week’s class action suit follows lawsuits filed against IBM on behalf of individuals in California, Georgia and Texas, as well as a nationwide investigation of age bias at the company by the U.S. Equal Employment Opportunity Commission, which administers the nation’s workplace anti-discrimination laws.

The Texas case, filed by 60-year-old former sales executive Jonathan Langley, accuses the company of laying him off after 24 years because of his age. In court papers, he said IBM “devoted countless millions of dollars to its effort to rebrand as a hip, Millennial-centric tech company” by, among other things, establishing the Millennial Corps.

An IBM spokesman has said the company will defend the Langley case vigorously and complies with all applicable laws.

The new class-action complaint is somewhat narrower than it at first appears, a reflection of complexities in the laws against age discrimination and legal protections IBM has erected for itself.

At the moment, the complaint seeks the right to represent older ex-IBM employees in just two states, California and North Carolina. Ex-employees in other states would have to sign up, or affirmatively opt in, to be covered. Liss-Riordan said in an email that individuals from other could be added to the class if other plaintiffs emerge.

In addition, the class action filed this week only seeks to represent ex-IBM employees who did not sign the company’s separation agreement when they were ousted.

ProPublica reported in March that IBM regularly denies older workers being laid off information that federal law says they’re entitled to in order to decide whether they have been victims of age bias. It does so by making severance pay contingent on departing employees signing separation agreements in which they give up their right to sue, and can then only pursue age claims through secret, individual arbitration.

Even with these limits on potential plaintiffs, experts on employment said the legal actions could have a substantial effect on IBM.

“If a judge approves class-action status, or any of the age-discrimination lawsuits filed against IBM recently proceed, the company is going to face a costly fight defending its treatment of older workers,” said Jeffrey Young, an Augusta, Maine, lawyer who has successfully sued major employers for age bias but isn’t representing any of the plaintiffs in the IBM cases.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


A Free Press Works For All of Us

[Editor's note: after repeated claim since 2017 by President Trump accusing journalists of being, "the enemy of the people," more than 300 local and national newspapers responded during August. Today's guest post includes ProPublica's response. It is reprinted with permission.]

By Stephen Engelberg, Editor-in-Chief, ProPublica

ProPublica does not have an editorial page, and we have never advocated for a particular policy to address the wrongs our journalism exposes. But from the very beginning of our work more than a decade ago, we have benefited enormously from the traditions and laws that protect free speech. And so today, as the nation’s news organizations remind readers of the value of robust journalism, it seems fitting to add our voice.

ProPublica specializes in investigative reporting — telling stories with “moral force” that hold government, businesses and revered institutions to account. There are few forms of journalism more vulnerable to pressure from the powerful. What we publish can change the outcome of elections, reverse policies, embarrass police or prosecutors and cost companies boatloads of money. The main subjects of our work, in most cases, would much prefer that our reporting never appear or be substantially watered down.

The framers of our Constitution fully understood the importance of protecting a robust, sometimes raucous press. It is no coincidence that the very first amendment begins, “Congress shall make no law ... abridging the freedom of speech, or of the press.” They had lived under a system in which a powerful monarch could use the law of seditious libel to accomplish the 18th-century version of “lock her up.” They wanted no part of it.

In the 21st century, journalism — at least as practiced on cable television — is becoming a craft in which partisans put forth or omit facts to advance their preferred political perspective. Those who bring to light uncomfortable truths are dismissed as “fake news” or, in our case, the work of the “Soros-funded” ProPublica, the all-purpose, vaguely anti-Semitic epithet meant to connote left-wing bias. (For the record, George Soros’s Open Society Foundations fund less than 2 percent of our operations.)

We have covered Presidents George W. Bush, Barack Obama and Donald Trump. We’re proud to say that we’ve annoyed them all with journalism that revealed serious shortcomings. We revealed that Bush had granted pardons to nearly four times as many white applicants as blacks; we ceaselessly hammered Obama for his failure to provide mortgage relief he’d promised ordinary homeowners; and we’ve vigorously covered Trump’s crackdown on immigrants, notably disclosing an audio recording of wailing children in a shelter. Democrats and Republicans have come under our scrutiny. We disclosed how California’s Democrats had manipulated the state’s redistricting process; however, we also reported that Republicans had used dark money and redistricting in other states to win the House in 2012, even though GOP congressional candidates won far fewer votes in aggregate than Democrats.

Journalists inevitably make mistakes along the way, and we’ve had our share at ProPublica. But the argument advanced by Trump and his allies — that journalists are the “enemy of the people” who sit around making up fake stories to undermine his administration — is palpably false. In fact, to use a word we have shied away from in our coverage, it’s a lie. And the president knows it.

For our part, we’re both proud and pleased to live in a country where one can still say that.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


No, a Teen Did Not Hack a State Election

[Editor's note: today's guest post, by reporters at ProPublica, is the latest in a series about the integrity and security of voting systems in the United States. It is reprinted with permission.]

By Lilia Chang, ProPublica

Headlines from Def Con, a hacking conference held this month in Las Vegas, might have left some thinking that infiltrating state election websites and affecting the 2018 midterm results would be child’s play.

Articles reported that teenage hackers at the event were able to “crash the upcoming midterm elections” and that it had taken “an 11-year-old hacker just 10 minutes to change election results.” A first-person account by a 17-year-old in Politico Magazine described how he shut down a website that would tally votes in November, “bringing the election to a screeching halt.”

But now, elections experts are raising concerns that misunderstandings about the event — many of them stoked by its organizers — have left people with a distorted sense of its implications.

In a website published before r00tz Asylum, the youth section of Def Con, organizers indicated that students would attempt to hack exact duplicates of state election websites, referring to them as “replicas” or “exact clones.” (The language was scaled back after the conference to simply say “clones.”)

Instead, students were working with look-a-likes created for the event that had vulnerabilities they were coached to find. Organizers provided them with cheat sheets, and adults walked the students through the challenges they would encounter.

Josh Franklin, an elections expert formerly at the National Institute of Standards and Technology and a speaker at Def Con, called the websites “fake.”

“When I learned that they were not using exact copies and pains hadn’t been taken to more properly replicate the underlying infrastructure, I was definitely saddened,” Franklin said.

Franklin and David Becker, the executive director of the Center for Election Innovation & Research, also pointed out that while state election websites report voting results, they do not actually tabulate votes. This information is kept separately and would not be affected if hackers got into sites that display vote totals.

“It would be lunacy to directly connect the election management system, of which the tabulation system is a part of, to the internet,” Franklin said.

Jake Braun, the co-organizer of the event, defended the attention-grabbing way it was framed, saying the security issues of election websites haven’t gotten enough attention. Those questioning the technical details of the mock sites and whether their vulnerabilities were realistic are missing the point, he insisted.

“We want elections officials to start putting together communications redundancy plans so they have protocol in place to communicate with voters and the media and so on if this happens on election day,” he said.

Braun provided ProPublica with a report that r00tz plans to circulate more widely that explains the technical underpinnings of the mock websites. They were designed to be vulnerable to a SQL injection attack, a common hack, the report says.

Franklin acknowledged that some state election reporting sites do indeed have this vulnerability, but he said that states have been aware of it for months and are in the process of protecting against it.

Becker said the details spelled out in the r00tz report would have been helpful to have from the start.

“We have to be really careful about adding to the hysteria about our election system not working or being too vulnerable because that’s exactly what someone like President Putin wants,” Becker said. Instead, Becker said that “we should find real vulnerabilities and address them as elections officials are working really hard to do.”

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Verizon Throttled Mobile Services Of First Responders Fighting California Wildfires

Verizon logo Fighting fires is difficult, dangerous work. Recently, that was made worse by an internet service provider (ISP). Ars Technica reported:

"Verizon Wireless' throttling of a fire department that uses its data services has been submitted as evidence in a lawsuit that seeks to reinstate federal net neutrality rules. "County Fire has experienced throttling by its ISP, Verizon," Santa Clara County Fire Chief Anthony Bowden wrote in a declaration. "This throttling has had a significant impact on our ability to provide emergency services. Verizon imposed these limitations despite being informed that throttling was actively impeding County Fire's ability to provide crisis-response and essential emergency services." Bowden's declaration was submitted in an addendum to a brief filed by 22 state attorneys general, the District of Columbia, Santa Clara County, Santa Clara County Central Fire Protection District, and the California Public Utilities Commission. The government agencies are seeking to overturn the recent repeal of net neutrality rules in a lawsuit they filed against the Federal Communications Commission in the US Court of Appeals for the District of Columbia Circuit."

Reportedly, Verizon replied with a statement that the throttling, "was a customer service error." Huh? This is how Verizon treats first-responders? This is how an ISP treats first-responders during a major emergency and natural disaster? The wildfires have claimed 12 deaths, destroyed at least 1,200 homes, and wiped out the state's emergency fund. Smoke from the massive wildfires has caused extensive pollution and health warnings in Northwest areas including Portland, Oregon and Seattle, Washington. The thick smoke could be seen from space.

Ars Technica reported in an August 21 update:

"Santa Clara County disputed Verizon's characterization of the problem in a press release last night. "Verizon's throttling has everything to do with net neutrality—it shows that the ISPs will act in their economic interests, even at the expense of public safety," County Counsel James Williams said on behalf of the county and fire department. "That is exactly what the Trump Administration's repeal of net neutrality allows and encourages." "

In 2017, President Trump appointed Ajit Pai, a former Verizon attorney, as Chairman of the U.S. Federal Communications Commission. Under Pai's leadership, the FCC revoked both online privacy and net neutrality protections for consumers. This gave ISPs the freedom to do as they want online while consumers lost two key freedoms: a) the freedom to control the data describing their activities online (which are collected and shared with others by ISPs), and b) freedom to use the internet bandwidth purchased as they choose.

If an ISP will throttle and abuse first-responders, think of what it will do it regular consumers. What are your opinions?


T-Mobile Confirmed Data Breach Affecting Millions Of Customers

T-Mobile logo T-Mobile confirmed a data breach which impacted its customers. Last week, the mobile service provider said in a statement:

"On August 20, our cyber-security team discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised. However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid)."

Affected customers are being notified. The statement did not disclose the number of affected customers, exactly how criminals breached its systems, nor the specific actions T-Mobile is taking to prevent this type of breach from happening again. The lack of detail is discouraging and does not promote trust.

CBS News reported:

"... the breach affected about 3 percent of T-Mobile's 77 million customers, or 2 million people... In May, researchers detected a bug in the company's website that allowed anyone to access the personal data of customers with just a phone number. The company is waiting for regulatory approval of a proposed $26.5 billion takeover of Sprint, the fourth-largest carrier in the United States."

So, criminals have stolen enough information to do damage: send spam via e-mail or text, and conduct pretexting (e.g., impersonate others to take over online accounts by resetting passwords, and/or gain access to payment data).

If you received a breach notice from T-Mobile, how satisfied are you with the company's response?


Besieged Facebook Says New Ad Limits Aren’t Response to Lawsuits

[Editor's note: today's guest post, by reporters at ProPublica, is the latest in a series monitoring Facebook's attempts to clean up its advertising systems and tools. It is reprinted with permission.]

By Ariana Tobin and Jeremy B. Merrill, ProPublica

Facebook logo Facebook’s move to eliminate 5,000 options that enable advertisers on its platform to limit their audiences is unrelated to lawsuits accusing it of fostering housing and employment discrimination, the company said Wednesday.

“We’ve been building these tools for a long time and collecting input from different outside groups,” Facebook spokesman Joe Osborne told ProPublica.

Tuesday’s blog post announcing the elimination of categories that the company has described as “sensitive personal attributes” came four days after the Department of Justice joined a lawsuit brought by fair housing groups against Facebook in federal court in New York City. The suit contends that advertisers could use Facebook’s options to prevent racial and religious minorities and other protected groups from seeing housing ads.

Raising the prospect of tighter regulation, the Justice Department said that the Communications Decency Act of 1996, which gives immunity to internet companies from liability for content on their platforms, did not apply to Facebook’s advertising portal. Facebook has repeatedly cited the act in legal proceedings in claiming immunity from anti-discrimination law. Congress restricted the law’s scope in March by making internet companies more liable for ads and posts related to child sex-trafficking.

Around the same time the Justice Department intervened in the lawsuit, the Department of Housing and Urban Development (HUD) filed a formal complaint against Facebook, signaling that it had found enough evidence during an initial investigation to raise the possibility of legal action against the social media giant for housing discrimination. Facebook has said that its policies strictly prohibit discrimination, that over the past year it has strengthened its systems to protect against misuse, and that it will work with HUD to address the concerns.

“The Fair Housing Act prohibits housing discrimination including those who might limit or deny housing options with a click of a mouse,” Anna María Farías, HUD’s assistant secretary for fair housing and equal opportunity, said in a statement accompanying the complaint. “When Facebook uses the vast amount of personal data it collects to help advertisers to discriminate, it’s the same as slamming the door in someone’s face.”

Regulators in at least one state are also scrutinizing Facebook. Last month, the state of Washington imposed legally binding compliance requirements on the company, barring it from offering advertisers the option of excluding protected groups from seeing ads about housing, credit, employment, insurance or “public accommodations of any kind.”

Advertising is the primary source of revenue for the social media giant, which is under siege on several fronts. A recent study and media coverage have highlighted how hate speech and false rumors on Facebook have spurred anti-refugee discrimination in Germany and violence against minority ethnic groups such as the Rohingya in Myanmar. This week, Facebook said it had found evidence of Russian and Iranian efforts to influence elections in the U.S. and around the world through fake accounts and targeted advertising. It also said it had suspended more than 400 apps “due to concerns around the developers who built them or how the information people chose to share with the app may have been used.”

Facebook declined to identify most of the 5,000 options being removed, saying that the information might help bad actors game the system. It did say that the categories could enable advertisers to exclude racial and religious minorities, and it provided four examples that it deleted: “Native American culture,” “Passover,” “Evangelicalism” and “Buddhism.” It said the changes will be completed next month.

According to Facebook, these categories have not been widely used by advertisers to discriminate, and their removal is intended to be proactive. In some cases, advertisers legitimately use these categories to reach key audiences. According to targeting data from ads submitted to ProPublica’s Political Ad Collector project, Jewish groups used the “Passover” category to promote Jewish cultural events, and the Michael J. Fox Foundation used it to find people of Ashkenazi Jewish ancestry for medical research on Parkinson’s disease.

Facebook is not limiting advertisers’ options for narrowing audiences by age or sex. The company has defended age-based targeting in employment ads as beneficial for employers and job seekers. Advertisers may also still target or exclude by ZIP code — which critics have described as “digital red-lining” but Facebook says is standard industry practice.

A pending suit in federal court in San Francisco alleges that, by allowing employers to target audiences by age, Facebook is enabling employment discrimination against older job applicants. Peter Romer-Friedman, a lawyer representing the plaintiffs in that case, said that Facebook’s removal of the 5,000 options “is a modest step in the right direction.” But allowing employers to sift job seekers by age, he added, “shows what Facebook cares about: its bottom line. There is real money in age-restricted discrimination.”

Senators Bob Casey of Pennsylvania and Susan Collins of Maine have asked Facebook for more information on what steps it is taking to prevent age discrimination on the site.

The issue of discriminatory advertising on Facebook arose in October 2016 when ProPublica revealed that advertisers on the platform could narrow their audiences by excluding so-called “ethnic affinity” categories such as African-Americans and Spanish-speaking Hispanics. At the time, Facebook promised to build a system to flag and reject such ads. However, a year later, we bought dozens of rental housing ads that excluded protected categories. They were approved within seconds. So were ads that excluded older job seekers, as well as ads aimed at anti-Semitic categories such as “Jew hater.”

The removal of the 5,000 options isn’t Facebook’s first change to its advertising portal in response to such criticism. Last November, it added a self-certification option, which asks housing advertisers to check a box agreeing that their advertisement is not discriminatory. The company also plans to require advertisers to read educational material on the site about ethical practices.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Facebook To Remove Onavo VPN App From Apple App Store

Not all Virtual Private Network (VPN) software is created equal. Some do a better job at protecting your privacy than others. Mashable reported that Facebook:

"... plans to remove its Onavo VPN app from the App Store after Apple warned the company that the app was in violation of its policies governing data gathering... For those blissfully unaware, Onavo sold itself as a virtual private network that people could run "to take the worry out of using smartphones and tablets." In reality, Facebook used data about users' internet activity collected by the app to inform acquisitions and product decisions. Essentially, Onavo allowed Facebook to run market research on you and your phone, 24/7. It was spyware, dressed up and neatly packaged with a Facebook-blue bow. Data gleaned from the app, notes the Wall Street Journal, reportedly played into the social media giant's decision to start building a rival to the Houseparty app. Oh, and its decision to buy WhatsApp."

Thanks Apple! We've all heard of the #FakeNews hashtag on social media. Yes, there is a #FakeVPN hashtag, too. So, buyer beware... online user beware.


Study: Performance Issues Impede IoT Device Trust And Usage Worldwide By Consumers

Dynatrace logo A global survey recently uncovered interesting findings about the usage and satisfaction of Iot (Internet of things) devices by consumers. A survey of consumers in several countries found that 52 percent already use IoT devices, and 64 percent of users have already encountered performance issues with their devices.

Opinium Research logo Dynatrace, a software intelligence company, commissioned Opinium Research to conduct a global survey of 10,002 participants, with 2,000 in the United States, 2,000 in the United Kingdom, and 1,000 respondents each in France, Germany, Australia, Brazil, Singapore, and China. Dynatrace announced several findings, chiefly:

"On average, consumers experience 1.5 digital performance problems every day, and 62% of people fear the number of problems they encounter, and the frequency, will increase due to the rise of IoT."

That seems like plenty of poor performance. Some findings were specific to travel, healthcare, and in-home retail sectors. Regarding travel:

"The digital performance failures consumers are already experiencing with everyday technology is potentially making them wary of other uses of IoT. 85% of respondents said they are concerned that self-driving cars will malfunction... 72% feel it is likely software glitches in self-driving cars will cause serious injuries and fatalities... 84% of consumers said they wouldn’t use self-driving cars due to a fear of software glitches..."

Regarding healthcare:

"... 62% of consumers stated they would not trust IoT devices to administer medication; this sentiment is strongest in the 55+ age range, with 74% expressing distrust. There were also specific concerns about the use of IoT devices to monitor vital signs, such as heart rate and blood pressure. 85% of consumers expressed concern that performance problems with these types of IoT devices could compromise clinical data..."

Regarding in-home retail devices:

"... 83% of consumers are concerned about losing control of their smart home due to digital performance problems... 73% of consumers fear being locked in or out of the smart home due to bugs in smart home technology... 68% of consumers are worried they won’t be able to control the temperature in the smart home due to malfunctions in smart home technology... 81% of consumers are concerned that technology or software problems with smart meters will lead to them being overcharged for gas, electricity, and water."

The findings are a clear call to IoT makers to improve the performance, security, and reliability of their internet-connected devices. To learn more, download the full Dynatrace report titled, "IoT Consumer Confidence Report: Challenges for Enterprise Cloud Monitoring on the Horizon."


Whirlpool's Online Product Registration: Confidentiality and Privacy Concerns

Earlier this month, my wife and I relocated to a different city within the same state to live closer to our new, 14-month young grandson. During the move, we bought new home appliances -- a clothes washer and dryer, both made by Whirlpool -- which prompted today's blog post.

The packaging and operation instructions included two registration postcards with the model and serial numbers printed in the form. Nothing controversial about that. The registration cards included, "Other Easy Ways To Register," and listed both registration websites for the United States and Canada. I tried the online registration to see what improvements or benefits Whirlpool's United States registration site might offer over the old-school snail-mail method besides speed.

The landing page includes a form for the customer's contact information, product purchased information, and future purchase plans. Pretty standard stuff. Nothing alarming there. Near the bottom of the form and just above the "Complete Registration" button are links to Whirlpool's Terms & Conditions and Privacy policies. I read both and found some surprises.

First, the site uses inconsistent nomenclature: two different policy titles. The link says "Terms & Conditions" while the title of the actual policy page states, "Terms Of Use." Which is it? Inconsistent nomenclature can confuse users. Not good. Come on, Whirlpool! This is not hard. Good website usability includes the consistent use of the same page title, so uses know where they are going when they select a link, and that they've arrived at the expected destination.

Second, the Terms Of Use (well, I had to pick a title so it wold be clear for you) policy page lacks a date. This can be confusing, making it difficult to impossible for consumers to know and reference the exact document read; plus determine what, if any, changes were posted since the prior version. Not good. Come on Whirlpool! Add a publication date. It's not hard.

Third, the Terms Of Use policy contained this clause:

"Whirlpool Corporation welcomes your submissions; however, any information submitted, other than your personal information (for example, your name and e-mail address), to Whirlpool Corporation through this site is the exclusive property of Whirlpool Corporation and is considered NOT to be confidential. Whirlpool Corporation does not receive the submission in confidence or under any confidential or fiduciary relationship. Whirlpool Corporation may use the submission for any purpose without restriction or compensation."

So, the Terms of Use policy is both vague and clear at the same time. It was vague because it didn't list the exact data elements considered "personal information." Not good. This leaves consumers to guess. The policy lists only two data elements. What about the rest? Are all confidential, or only some? And if some, which ones? Here's the list I consider confidential: name, street address, country, phone number, e-mail address, IP address, device type, device model, device operating system, payment card information, billing address, and online credentials (should I create a profile at the Whirlpool site). Come on Whirlpool! Get it together and provide the complete list of data elements you consider "personal information." It's not hard.

Fourth, the Terms Of Use policy was also clear because the above sentences quoted made Whirlpool's intentions clear: submissions to the site other than "personal information" are not confidential and Whirlpool can do with them whatever it wants. Since the policy doesn't list which data elements are personal, one must assume all are.  Not good.

Next, I read Whirlpool's Privacy policy, and hoped that it would clarify things. Thankfully, a little good news. First, the Privacy policy listed a date: May 31, 2018. Second, more inconsistent site nomenclature: the page-bottom links across the site say "Privacy Policy" while the policy page title says "Privacy Statement." I selected the "Expand All" button to view the entire policy. Third, Whirlpool's Privacy Statement listed the items considered personal information:

"- Your contact information, such as your name, email address, mailing address, and phone number
- Your billing information, such as your credit card number and billing address
- Your Whirlpool account information, including your user name, account number, and a password
- Your product and ownership information
- Your preferences, such as product wish lists, order history, and marketing preferences"

This list is a good start. A simple link to this section from the Terms Of Use policy would do wonders to clarify things. However, Whirlpool collects some key data which it more freely collects and trades than "personal information." The Privacy Statement contains this clause:

"Whirlpool and its business partners and service providers may use a variety of technologies that automatically or passively collect information about how you interact with our Websites ("Usage Information"). Usage Information may include: (i) your IP address, which is a unique set of numbers assigned to your computer by your Internet Service Provider (ISP) (which, depending on your ISP, may be a different number every time you connect to the Internet); (ii) the type of browser and operating system you use; and (iii) other information about your online session, such as the URL you came from to get to our Websites and the date and time you visited our Websites."

And, the Privacy Statement mentions the use of several online tracking technologies:

"We use Local Shared Objects (LSOs) such as HTML5 or Flash on our Websites to store content information and preferences. Third parties with whom we partner to provide certain features on our Websites or to display advertising based upon your web browsing activity use LSOs such as HTML5 or Flash to collect and store information... Web beacons are tiny electronic image files that can be embedded within a web page or included in an e-mail message, and are usually invisible to the human eye. When we use web beacons within our web pages, the web beacons (also known as “clear GIFs” or “tracking pixels”) may tell us such things as: how many people are coming to our Websites, whether they are one-time or repeat visitors, which pages they viewed and for how long, how well certain online advertising campaigns are converting, and other similar Website usage data. When used in our e-mail communications, web beacons can tell us the time an e-mail was opened, if and how many times it was forwarded, and what links users click on from within the e- mail message."

While the "EU-US Privacy Shield" section of the privacy policy lists Whirlpool's European subsidiaries, and contains a Privacy Shield link to an external site listing the companies that are probably some of Whirlpool's service and advertising partners, the privacy policy really does not disclose all of the "third parties," "business partners," "service vendors," advertising partners, and affiliates Whirlpool shares data with. Consumers are left in the dark.

Last, the "Your Rights: Choice & Access" section of the privacy policy mentions the opt-out mechanism for consumers. While consumers can opt-out or cancel receiving marketing (e.g., promotional) messaging from Whirlpool, you can't opt-out of the data collection and archival. So, choice is limited.

Given this and the above concerns, I abandoned the product registration form. Yep. Didn't complete it. Maybe I will in the future after Whirlpool fixes things. Perhaps most importantly, today's blog post is a reminder for all consumers: always read companies' privacy and terms-of-use policies. Always. You never know what you'll find that is irksome. And, if you don't know how to read online polices, this blog has some tips and suggestions.


Federal Reserve Board Fined Citigroup For Mishandling Residential Mortgages

Citibank logo The Federal Reserve Board (FRB) announced on Friday that it had fined Citigroup $8.6 million for the "improper execution of residential mortgage-related documents" in a subsidiary. The announcement explained:

"The $8.6 million penalty addresses the deficient execution and notarization of certain mortgage-related affidavits prepared by a subsidiary, CitiFinancial. The improper practices occurred in 2015 and were corrected. CitiFinancial exited the mortgage servicing business in 2017.

Also on Friday, the Board announced the termination of an enforcement action from 2011 against Citigroup and CitiFinancial related to residential mortgage loan servicing. The termination of this action was based on evidence of sustainable improvements."

In 2014, Citigroup paid $7 billion to settle allegations by the Department of Justice (DOJ) and several states attorneys general (AGs) that the bank mislead investors about toxic mortgage-backed securities. So, sloppy or shoddy handling of mortgage paperwork  will get a bank fined. Good. There must be consequences when consumers are abused.

Earlier this month, Wells Fargo admitted to software bugs in its systems which led to the bank accidentally foreclosing on residential homeowners it shouldn't have. 400 homeowners lost their homes. Untold consumers' credit ratings wrecked. That sounds like shabby mortgage paperwork handling, too -- definitely worth a larger fine. What do you think?