67 posts categorized "Credit Monitoring Services" Feed

FTC To Distribute $31 Million In Refunds To Affected Lifelock Customers

U.S. Federal Trade Commission logo The U.S. Federal Trade Commission (FTC) announced on Tuesday the distribution of about $31 million worth of refunds to certain customers of Lifelock, an identity protection service. The refunds are part of a previously announced settlement agreement to resolve allegations that the identity-theft service violated a 2010 consent order.

Lifelock has featured notable spokespersons, including radio talk-show host Rush Limbaugh, television personality Montel Williams, actress Angie Harmon, and former New York City Mayor Rudy Giuliani, who is now the personal attorney for President Trump.

The FTC announcement explained:

"The refunds stem from a 2015 settlement LifeLock reached with the Commission, which alleged that from 2012 to 2014 LifeLock violated an FTC order that required the company to secure consumers’ personal information and prohibited it from deceptive advertising. The FTC alleged, among other things, that LifeLock failed to establish and maintain a comprehensive information security program to protect users’ sensitive personal information, falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions, and falsely claimed it provided 24/7/365 alerts “as soon as” it received any indication a consumer’s identity was being used."

Lifelock logo The 2015 settlement agreement with the FTC required LifeLock agreed to pay $100 million to affected customers. About $68 million has been paid to customers who were part of a class action lawsuit. The FTC is using the remaining money to provide refunds to consumers who were LifeLock members between 2012 and 2014, but did not receive a payment from the class action settlement.

The FTC expects to mail about one million refund checks worth about $29 each.

If you are a Lifelock customer and find this checkered history bothersome, Consumer Reports has some recommendations about what you can do instead. It might save you some money, too.


Study: Anonymized Data Can Not Be Totally Anonymous. And 'Homomorphic Encryption' Explained

Many online users have encountered situations where companies collect data with the promised that it is safe because the data has been anonymized -- all personally-identifiable data elements have been removed. How safe is this really? A recent study reinforced the findings that it isn't as safe as promised. Anonymized data can be de-anonymized = re-identified to individual persons.

The Guardian UK reported:

"... data can be deanonymised in a number of ways. In 2008, an anonymised Netflix data set of film ratings was deanonymised by comparing the ratings with public scores on the IMDb film website in 2014; the home addresses of New York taxi drivers were uncovered from an anonymous data set of individual trips in the city; and an attempt by Australia’s health department to offer anonymous medical billing data could be reidentified by cross-referencing “mundane facts” such as the year of birth for older mothers and their children, or for mothers with many children. Now researchers from Belgium’s Université catholique de Louvain (UCLouvain) and Imperial College London have built a model to estimate how easy it would be to deanonymise any arbitrary dataset. A dataset with 15 demographic attributes, for instance, “would render 99.98% of people in Massachusetts unique”. And for smaller populations, it gets easier..."

According to the U.S. Census Bureau, the population of Massachusetts was abut 6.9 million on July 1, 2018. How did this de-anonymization problem happen? Scientific American explained:

"Many commonly used anonymization techniques, however, originated in the 1990s, before the Internet’s rapid development made it possible to collect such an enormous amount of detail about things such as an individual’s health, finances, and shopping and browsing habits. This discrepancy has made it relatively easy to connect an anonymous line of data to a specific person: if a private detective is searching for someone in New York City and knows the subject is male, is 30 to 35 years old and has diabetes, the sleuth would not be able to deduce the man’s name—but could likely do so quite easily if he or she also knows the target’s birthday, number of children, zip code, employer and car model."

Data brokers, including credit-reporting agencies, have collected a massive number of demographic data attributes about every persons. According to this 2018 report, Acxiom has compiled about 5,000 data elements for each of 700 million persons worldwide.

It's reasonable to assume that credit-reporting agencies and other data brokers have similar capabilities. So, data brokers' massive databases can make it relatively easy to re-identify data that was supposedly been anonymized. This means consumers don't have the privacy promised.

What's the solution? Researchers suggest that data brokers must develop new anonymization methods, and rigorously test them to ensure anonymization truly works. And data brokers must be held to higher data security standards.

Any legislation serious about protecting consumers' privacy must address this, too. What do you think?


2 Credit Reporting Agencies To Pay $23.1 Million To Settle Deceptive Advertising Charges

Last week, the Consumer Financial Protection Bureau (CFPB) announced the actions it had taken against two credit reporting agencies and their subsidiaries for deceptive advertising practices with credit scores and related subscription programs. The CFPB announcement explained:

"TransUnion, since at least July 2011, and Equifax, between July 2011 and March 2014, violated the Dodd-Frank Wall Street Reform and Consumer Financial Protection Act by: 1) Deceiving consumers about the value of the credit scores they sold: In their advertising, TransUnion and Equifax falsely represented that the credit scores they marketed and provided to consumers were the same scores lenders typically use to make credit decisions. In fact, the scores sold by TransUnion and Equifax were not typically used by lenders to make those decisions; 2) Deceiving consumers into enrolling in subscription programs: In their advertising, TransUnion and Equifax falsely claimed that their credit scores and credit-related products were free or, in the case of TransUnion, cost only “$1.” In reality, consumers who signed up received a free trial of seven or 30 days, after which they were automatically enrolled in a subscription program. Unless they cancelled during the trial period, consumers were charged a recurring fee – usually $16 or more per month. This billing structure, known as a “negative option,” was not clearly and conspicuously disclosed to consumers."

Credit scores are numerical summaries designed to predict consumer repayment behavior and while using credit. Those numeric summaries attempt to indicate a consumer's credit worthiness based up like their bill-paying history: the number and type of credit accounts, the total amount of debt, if the credit accounts are maxed out, the age of that debt, whether bills are paid on time, collection activities by lenders to get paid, and the age of the consumer's accounts.

It is important for consumers to know that lenders rely in part on credit scores when deciding whether to extend credit to consumers and how much credit to extend. Plus, there are several branded credit scores in the marketplace. So, no single credit score is used by all lenders, and lenders may use one or more branded credit scores when making lending decisions. Also, the credit scores sold to consumers by TransUnion:

"... are based on a model from VantageScore Solutions, LLC. Although TransUnion has marketed VantageScores to lenders and other commercial users, VantageScores are not typically used for credit decisions."

Generally, the higher a credit score, the less risky that consumer is to lenders. The U.S. Federal Trade Commission (FTC) has a helpful site that explains credit scores and provides answers to common questions by consumers.

The CFPB actions require Equifax and TransUnion to pay fines totaling $5.5 million to the CFPB, and to pay more than $17.6 million in restitution to affected consumers.TransUnion's share of the fines is $3 million, and Equifax's share is $2.5 million. Other terms of the enforcement action:

"TransUnion and Equifax must clearly inform consumers about the nature of the scores they are selling to consumers... Before enrolling a consumer in any credit-related product with a negative option feature, TransUnion and Equifax must obtain the consumer’s consent. TransUnion and Equifax must give consumers a simple, easy-to-understand way to cancel the purchase of any credit-related product, and stop billing and collecting payments for any recurring charge when a consumer cancels."

"Negative option" is when a free trial automatically converts to a monthly paid subscription if the fails to cancel during the free trial period. Historically, the three major credit reporting agencies have offshore outsourced call center operations. So, it will be interesting to see how many of these jobs return to the United States given the policy positions of the incoming President and his administration. And, the industry has come under scrutiny for failing to fix errors in the credit reports they sell.

The industry has had some spectacular information security failures. A May 2016 breach at Equifax exposed the sensitive personal information of more than 430,000 employees of its Kroger supermarkets client. In 2012, Equifax and some of its customers paid $1.6 million to settle allegations by the FTC about the improper sales of customer lists from January 2008 and to early 2010.

The CFPB began supervision of the credit reporting industry in 2012. CFPB Director Richard Cordray said about this recent enforcement action:

"TransUnion and Equifax deceived consumers about the usefulness of the credit scores they marketed, and lured consumers into expensive recurring payments with false promises... Credit scores are central to a consumer’s financial life and people deserve honest and accurate information about them."

Kudos to the CFPB for this enforcement action.


Lifelock to Pay $100 Million To Settle Charges By FTC That Company Violated A 2010 Court Order

Lifelock logo During the run-up to the holiday season, the U.S. Federal Trade Commission (FTC) announced a settlement agreement where Lifelock will pay $100 million to settle charges that it violated a 2010 federal court order to properly secure customers' sensitive personal information, and stop performing deceptive advertising. The identity protection service has featured notable spokespersons, including radio talk-show host Rush Limbaugh, television personality Montel Williams, and former New York City Mayor Rudy Guliani.

The company's stock price plunged in July 2015 when news of the FTC investigation broke. The FTC's charges against Lifelock included four components. The FTC alleged that:

  1. From at least October 2012 through March 2014, LifeLock failed to establish and maintain a comprehensive data security program to protect users’ sensitive personal information (e.g., Social Security numbers, credit card payment information, bank account information, etc.).
  2. LifeLock falsely advertised that it protected consumers’ sensitive information with the same high-level protections used by banks.
  3. From January 2012 through December 2014 LifeLock falsely advertised  that it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft.
  4. Lifelock failed to comply with the recordkeeping requirements in the 2010 court order.

In 2010, about 950 thousand consumers received refunds from Lifelock results from deceptive advertising claims. In a 2014 review of the service, Consumer Reports advised consumers to ignore the hype and consider whether you are like to lose or have stolen as much money as Lifelock's annual service fees: $99 to almost $250 a year. Consumer Reports said:

"LifeLock’s latest commercial shows folks happily sharing personal information on smart phones, laptops, and tablets, oblivious to LifeLock’s claim that “identity theft is one of the fastest-growing crimes in America.” That’s why you need LifeLock.. True, existing debit- and credit-card fraud, aka card theft, makes up the largest part of what is trumped up as identity fraud, and it jumped 46 percent last year. But consumer-protection laws and zero-liability policies limit the actual cost of that crime for most consumers to zero. Those who had out-of-pocket costs in 2013 lost only $108, on average. The incidence of new-account fraud... has fallen to historic lows. Your chance of getting hit last year was only one-half of 1 percent. Again, you’re generally not liable if a creditor lends money to a crook posing as you, but costs for consumers who were liable somehow averaged $449. LifeLock’s terms-and-conditions agreement requires that you also work to protect your personal information “at all times.” Why pay someone for DIY defense?"

Regular readers of this blog know that after my personal information was disclosed during a prior employer's data breach, I placed Fraud Alerts for free on my credit reports on my own. Later, I upgraded to Security Freezes for greater protection. The only cost I incurred for the Security Freezes was the $5 fee (which varies by state) each credit reporting agency charged. I monitor my credit card and bank statements monthly (for free) for fraudulent charges, and when they occur get them removed without incurring any costs. For me, DIY protection works.

Terms of its settlement agreement with the FTC require Lifelock to:

"... deposit $100 million into the registry of the U.S. District Court for the District of Arizona. Of that $100 million, $68 million may be used to redress fees paid to LifeLock by class action consumers who were allegedly injured by the same behavior alleged by the FTC. These funds, however, must be paid directly to and received by consumers, and may not be used for any administrative or legal costs associated with the class action. Any money not received by consumers in the class action settlement or through settlements between LifeLock and state attorneys general will be provided to the FTC for use in further consumer redress. In addition to the settlement’s monetary provisions, record-keeping provisions similar to those in the 2010 order have been extended to 13 years from the date of the original order."

Consumers who did not participate in the class action can still sue the company. Congratulations to the FTC for the enforcement and holding Lifelock accountable.


Experian Data Breach Affects 15 Million T-Mobile Customers, And Highlights Privacy Concerns

Experian logo Experian, one of the three major credit-reporting agencies in the United States, announced last week a data breach at affected at least 15 million T-Mobile customers. Unauthorized persons accessed an Experian server which contained personal information about consumer who had applied for T-Mobile USA services between September 1 and September 16, 2015.

Experian discovered the breach on September 15, 2015. The information accessed and stolen included names, addresses, Social Security Numbers, birth dates, identification numbers (e.g., driver's license, military ID, passport number, etc.), and additional data related to T-Mobile's credit-check process. The credit reporting agency also said:

"Experian’s consumer credit database was not accessed in this incident, and no payment card or banking information was obtained."

Thank heavens for little favors. Thankfully, at least one Experian employee had the good sense to segregate its database of T-Mobile customers from its database of everyone else. Otherwise, the hackers would have accessed and stolen sensitive personal information for 250 million persons. And, the "no payment card or banking information was obtained," is like saying bank thieves stole everything but not the one-, five-, and ten-dollar bills. This is bad folks, and Experian should not issue statements in a failed attempt to perfume-a-pig. The pig still stinks.

Experian has notified and is working with both federal and international law enforcement agencies. The post-breach investigation is ongoing. The company is notifying affected persons and will offer two years of free credit monitoring and identity resolution services. Some security experts are skeptical, and questioned whether Experian deployed the data-breach-detection services of 41st Parameter, a wholly owned subsidiary.

John Legere, the t-Mobile Chief Executive, said in a statement:

"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian..."

Understandable and justified anger. No doubt, lawsuits will result.

This is not good. The data elements stolen are sufficient for criminals to apply for fraudulent loans, create fraudulent identification cards, and effectively approach the family, friends, coworkers, and classmates by impersonating breach victims.

This is not the first data breach at Experian. In February 2014, hackers used a client's login credentials to access an undisclosed number of consumers' records. The data stolen included consumer credit reports, names, addresses, Social Security Numbers, birth dates, and additional information commonly found in credit reports. In May 2012, Experian announced a breach where hackers accessed an undisclosed number of consumers' records between October 19, 2011 and February 13, 2012. A breach in 2009 affected Maryland residents, and a lawsuit was filed in July 2015 against Experian for allegedly selling consumer information to a criminal posing as a data broker. That criminal allegedly resold data to other identity thieves.

Some critics demand stronger consequences. Fight for the Future's Jeff Lyon said:

"Experian CEO Brian Cassin has put the profits of his company above the well-being of his customers and our nation's cybersecurity. Why should Experian bother fixing their security when they can just lobby their way out of the messes they make?"... This type of thinking is putting millions of people at risk. Cassin should resign..."

I agree. Cassin should resign. Lyon's comments allude to the Cybersecurity Information Sharing Act (CISA) of 2013, which is making its way through Congress. Privacy advocates argue that the bill fails to provide adequate data security protections and instead promotes data sharing of consumers' information with the federal government to facilitate surveillance. Some argue that the bill will actually hurt privacy.

I agree. It's poor legislation. Now, back to Experian. The credit reporting agency's track record of breaches is troubling. Paying post-breach related costs (e.g., free credit monitoring), again, is not enough of an incentive to change executives' behavior. Companies won't change until there are direct consequences for executives. Experian executives know better. It is in the business of collecting, archiving, and protecting consumers' sensitive personal and financial information.

What are your opinions?


OPM And DOD Hire ID Experts For Credit Monitoring And Post-Breach Services

Office of Personnel Management logo Just before the long holiday weekend, the Office of Personnel Management (OPM) and the Department of Defense (DOD) announced a contract with Identity Theft Guard Solutions LLc (a/k/a ID Experts) to assist the 21.5 persons affected by the massive breach first reported in June. The contract provide three years of free services for persons with sensitive information stolen, such as Social Security numbers.

Breach victims will be notified during September. The contract includes coverage for breach victims and their dependent children under the age of 18. ID Experts will provide credit monitoring, identity monitoring, identity theft insurance, and identity restoration services. Beth Cobert, the Acting Director at OPM, said:

“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future.. Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

To learn more, the OPM suggested that breach victims sign up for email alerts and visit https://www.opm.gov/cybersecurity. The OPM announcement included advice for all breach victims to protect themselves and their sensitive information, plus additional information for residents of California, Kentucky, Maryland, and North Carolina.

Read the OPM announcement about its contract with ID Experts.


Medical Informatics Engineering Breach Highlights Breach Notice, Privacy, And Cloud-Storage Issues

Medical Informatics Engineering logo In early June,  Medical Informatics Engineering (MIE) announced a data breach where unauthorized persons accessed its systems. The breach at MIE, an electronic health records vendor used by many health providers, exposed the sensitive Protected Health Information (PHI) of an undisclosed number of patients in several states. MIE began to notify during June its corporate clients. MIE began notifying affected patients on July 17.

The July 24, 2015 MIE press release about the breach

"FORT WAYNE, Ind.--(BUSINESS WIRE--On behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified."

No More Clipboard logo NoMoreClipboard.com (NMC) is a cloud-based service by MIE for storing patients' health records, and making the records easily accessible by a variety of devices: desktops, laptop,s tablets, and smart phones. The service is sold to doctors, hospitals, and related professionals.

According to its breach FAQ page, MIE's client list includes:

  • Concentra,
  • Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery),
  • Franciscan St. Francis Health Indianapolis,
  • Gynecology Center, Inc. Fort Wayne,
  • Rochester Medical Group,
  • RediMed,and Fort Wayne Radiology Association, LLC (including d/b/a Nuvena Vein Center and Dexa Diagnostics, Open View MRI, LLC, Breast Diagnostic Center, LLC, P.E.T. Imaging Services, LLC, MRI Center — Fort Wayne Radiology, Inc. f/k/a Advanced Imaging Systems, Inc.)

NoMoreClipboard.com's client list includes many clinics, hospitals, physicians, specialists, attorneys, schools, and more (links added):

NoMoreClipboard.com Clients Affected By Data Breach
Advanced Cardiac Care
Advanced Foot Specialists
All About Childrens Pediatric Partners, PC
Allen County Dept of Health
Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center
Altagracia Medical Center
Anderson Family Medicine
Arkansas Otolaryngology, P.A.
Auburn Cardiology Associates
Basedow Family Clinic Inc.
Bastrop Medical Clinic
Batish Family Medicine
Beaver Medical
Boston Podiatry Services PC
Brian Griner M.D.
Brightstarts Pediatrics
Burnsville Medical Center
Capital Rehabilitation
Cardiovascular Consultants of Kansas
Carl Gustafson OD
Carolina Gastroenterology
Carolina Kidney & Hypertension Center
Carolinas Psychiatric Associates
Center for Advanced Spinal Surgery
Chang Neurosurgery & Spine Care
Cheyenne County Hospital
Children's Clinic of Owasso, P.C.
Clara A. Lennox MD
Claude E. Younes M.D., Inc.
CMMC
Coalville Health Center
Cornerstone Medical and Wellness, LLC
Cumberland Heart
David A. Wassil, D.O.
David M Mayer MD
Dr. Alicia Guice
Dr. Anne Hughes
Dr. Buchele
Dr. Clark
Dr. Harvey
Dr. John Labban
Dr. John Suen
Dr. Puleo
Dr. Rajesh Rana
Dr. Rustagi
Dr. Schermerhorn
Dr. Shah
Ear, Nose & Throat Associates, P.C.
East Carolina Medical Associates
Eastern Washington Dermatology Associates
Ellinwood District Hospital
Family Care Chiropractic Center
Family Practice Associates of Macomb
Family Practice of Macomb
Floyd Trillis Jr., M.D.
Fredonia Regional Hospital
Fremont Family Medicine
Generations Primary Care
Grace Community Health Center, Inc.
Grisell Memorial Hospital
Harding Pediatrics LLP
Harlan County Health System
Health Access Program
Heart Institute of Venice
Henderson Minor Outpatient Medicine
Henry County Hospital myhealth portal
Highgate Clinic
Hobart Family Medical Clinic
Howard Stierwalt, M.D.
Howard University Hospital
Hudson Essex Nephrology
Huntington Medical Associates
Huntington Medical Group
Hutchinson Regional Medical Center
Idaho Sports Medicine Institute
In Step Foot & Ankle Specialists
Independence Rehabilitation Inc
Indiana Endocrine Specialists
Indiana Internal Medicine Consultants
Indiana Ohio Heart Indiana Surgical Specialists
Indiana University
Indiana University Health Center
Indianapolis Gastroenterology and Hepatology
Internal Medicine Associates
IU — Northwest
Jackson Neurolosurgery Clinic
James E. Hunt, MD
Jasmine K. Leong MD
Jewell County Hospital
John Hiestand, M.D.
Jonathan F. Diller, M.D.
Jubilee Community Health
Kardous Primary Care
Keith A. Harvey, M.D.
Kenneth Cesa DPM
Kings Clinic and Urgent Care
Kiowa County Memorial Hospital
Kristin Egan MD
Lakeshore Family Practice
Lane County Hospital
Logan County Hospital
Margaret Mary Health
Masonboro Urgent Care
McDonough Medical Group Psychiatry
Medical Care, Inc.
Medical Center of East Houston
Medicine Lodge Memorial Hospital
MedPartners
MHP Cardiology
Michael Mann, MD, PC
Michelle Barnes Marshall, P.C.
Michiana Gastroenterology, Inc.
Minneola District Hospital
Mora Surgical Clinic
Moundridge Mercy Hospital Inc
myhealthnow
Nancy L. Carteron M.D.
Naples Heart Rhythm Specialists
Nate Delisi DO
Neighborhood Health Clinic
Neosho Memorial Regional Medical Center
Neuro Spine Pain Surgery Center
Norman G. McKoy, M.D. & Ass., P.A.
North Corridor Internal Medicine
Nova Pain Management
Novapex Franklin
Oakland Family Practice
Oakland Medical Group
Ohio Physical Medicine & Rehabilitation Inc.
On Track For Life
Ottawa County Health Center
Pareshchandra C. Patel MD
Parkview Health System, Inc. d/b/a Family Practice Associates of Huntington
Parkview Health System, Inc. d/b/a Fort Wayne Cardiology
Parrott Medical Clinic
Partners In Family Care
Personalized Health Care Of Tucson
Phillips County Hospital
Physical Medicine Consultants
Physicians of North Worchester County
Precision Weight Loss Center
Primary & Alternative Medical Center
Prince George's County Health Dept.
Rebecca J. Kurth M.D.
Relief Center Republic County Hospital
Ricardo S. Lemos MD
Richard A. Stone M.D.
Richard Ganz MD
River Primary Care
Rolando P. Oro MD, PA
Ronald Chochinov
Sabetha Community Hospital
Santa Cruz Pulmonary Medical Group
Santone Chiropractic
Sarasota Cardiovascular Group
Sarasota Center for Family Health Wellness
Sarasota Heart Center
Satanta District Hospital
Saul & Cutarelli MD's Inc.
Shaver Medical Clinic, P. A.
Skiatook Osteopathic Clinic Inc.
Sleep Centers of Fort Wayne
Smith County Hospital
Smith Family Chiropractic
Somers Eye Center
South Forsyth Family Medicine & Pediatrics
Southeast Rehabilitation Associates PC
Southgate Radiology
Southwest Internal Medicine & Pain Management
Southwest Orthopaedic Surgery Specialists, PLC
Stafford County Hospital
Stephen Helvie MD
Stephen T. Child MD
Susan A. Kubica MD
Texas Childrens Hospital
The Children's Health Place
The Heart & Vascular Specialists
The Heart and Vascular Center of Sarasota
The Imaging Center
The Johnson Center for Pelvic Health
The Medical Foundation, My Lab Results Portal
Thompson Family Chiropractic
Trego County Hospital
Union Square Dermatology
Volunteers in Medicine
Wells Chiropractic Clinic
Wichita County Health Center
William Klope MD
Wyoming Total Health Record Patient Portal
Yovanni Tineo M.D.
Zack Hall M.D.

The MIE press release included few details about exactly how hackers accessed its systems:

"On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data."

The breach highlights the need for greater transparency by both health care providers and the outsourcing vendors they hire. The breach also highlights the fact that medical records are stored and accessible via cloud-based services. Did you know that? I didn't before. And, this raises the question: is storage of PHI in the cloud the best and safest way?

The breach notices from MIE to consumers may create confusion, since patients don't do business directly with MIE and probably won't recognize its name. My wife received a breach notice on Friday and did not recognize MIE by name. I hadn't heard of MIE, either, so I did some online research. During June, MIE notified both the California Attorney General's office (Aobe PDF) and the New Hampshire Attorney General's office (Adobe PDF) of residents in each state affected by the data breach. MIE is represented by the law firm of Lewis, Brisbois, Bisgaard and Smith LLP (LBBS). LBBS has offices in 35 states and the District of Columbia.

MIE probably notified several other states, but many states, including the Massachusetts Attorney General's office, do not post online breach notices they receive. (They should, since it helps consumers verify breach notices.) HIPAA federal law requires certain entities to send breach notices to affected patients for breaches of unprotected data affecting more than 500 patients. At press time, a check of the Health & Human Services site did not find an MIE breach listing. When posted, it should reveal the total number of patients affected by the breach.

The breach notice my wife received was dated July 17, 2015. It repeated information already available online and offered few, new details. It began:

"My name is Eric Jones and I am co-founder and COO of Medical Informatics Engineering, a company that provides electronic medical record services to certain health care provider clients, including Concentra. On behalf of Medical Informatics Engineering, I am writing to notify you that a data security compromise occurred at medical Informatics Engineering that has affected the security of some of your personal  and protected health information. This letter contains details about the incident and our response..."

My wife didn't recognize either Concentra nor No More Clipboard by name. The notice she received listed the following patients' information as exposed or stolen:

"While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected. The affected information: SSN, Address, Phone, Birth Date"

This seemed vague. Which address: e-mail or residential street address? Which phone: mobile, land-line, or both? Were Social Security Numbers stored in open or encrypted format? And, if not encrypted, why not? The breach notice didn't say much.

Then, there is this: the breach letter my wife received included far fewer information elements than the July 24, 2015 press release:

"The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information."

This raised the question: which MIE document is correct? The breach notice, the press release, or neither? The notice seemed to raise more questions than it answered, so Monday morning we called the MIE hotline listed in its breach notice. After waiting 50 minutes on hold, a representative finally answered. The phone representative identified herself and her employer, Epic Systems based in Oregon. So, MIE outsourced the hotline support portion of its post-breach response.

I asked the representative to explain exactly how MIE acquired my wife's medical records. She looked up my wife's record in their system and replied that MIE had acquired it through business with Concentra. This was puzzling since neither my wife nor I have done business with Concentra. So, I was on the phone with one subcontractor who was pointing the finger at another subcontractor. Lovely. And, nobody on the phone actually from MIE. Disappointing.

Next, I called the nearest Concentra office, which is 17 miles away in Wilmington, Massachusetts. (We live in Boston.) The person in the billing department was helpful. (She admitted that she, too, had received a breach notice from MIE.) The representative attempted to find my wife's information in Concentra's systems. As my wife and I thought: no record. We have not done any business with Concentra. Confirmed.

The Wilmington-office representative's first answer was to give me the MIE breach hotline number. I explained that I had already called the MIE hotline. Then, the representative provided a regional contact in Concentra's human resources department. I have called Tyree Wallace twice, but so far no response. Not good.

What to make of this situation? One vendor's system has errors, but I can't yet tell which: MIE or Concentra. Maybe that's a result of the hack. May be not. The whole situation reminds me of the robo-signing and residential mortgage-back securities scandals by banks, where shortcuts were taken without proper documentation and items repackaged, sold, and resold without disclosures -- nobody knew exactly what was what. An epic mess. Could a similar epic mess happened with electronic medical records? I hope not.

I reviewed the breach notice again, bu this time focused upon MIE's offer of two years of free credit monitoring services with the Experian ProtectMyID Elite service. The ProtectMyID website lists the following features:

"Credit Monitoring: You may review your credit card statements every month for purchases you didn't make. But, every day, we check your credit report for other types of fraud that are much more dangerous. We watch for 50 leading indicators of identity theft. Each one, from a new loan to medical collections, poses a unique threat to your identity that we'll help you address."

"Internet Scan: ProtectMyID continually monitors a vast number of online sources where compromised credit and debit card numbers, Social Security numbers and other personal data is found, traded or sold, helping reduce your potential exposure to identity theft."

"National Change of Address Monitoring: Your bills and monthly statements can feed criminals important account and personal information. An identity thief may steal a single piece of your mail or all of it with a fraudulent change of address request at the post office. Every day, we look for the red flags. We monitor address changes at the national and credit report levels and help you resolve any issues."

Is this a good deal? Each affected patient can decide for their self, since you know your needs best. Plus, patients' needs vary. The Internet scan and address monitoring features sound nice, but only you can determine if you need those protections. While two years of free credit monitoring is better than one year, I couldn't find an explicit statement in the site where ProtectMyID monitors credit reports at all three credit reporting agencies (e.g., Experian, Equifax, TransUnion), or only one. Monitoring only one doesn't seem like effective coverage. In 8+ years of blogging, I've learned that criminals are smart and persistent. Monitor only one branded credit report (e.g., Experians), and criminals will approach lenders who use other branded credit reports, in order to take out fraudulent loans.

So, what to make of this breach? I see several issues:

  1. Transparency matters: the MIE breach and its post-breach response highlight the importance of transparency. Health care providers and outsourced vendors should make it easy for patients to determine who has their electronic health records and why. Breach notices should clearly state both the EHR vendor's name and the health care provider each patient specifically used. Don't use vague, confusing language MIE used. (See above.) Be specific and clear in breach notices. Something like this would be better: "We acquired your electronic health records during [year] from Concentra. It was acquired for [insert reasons]."
  2. Update online policies: health care provider's websites should identify the EHR vendors by name in their policies (e.g., terms of use, privacy). EHR vendor sites should identify their clients. Why? When breaches happen, patients need to quickly and easily verify the vendor's breach notice received. When policies don't mention vendors by name, verification is harder.
  3. Effective credit monitoring: ideally, provide a free service that monitors credit reports at all three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion), not one.
  4. Cloud-based EHR services: is this the best, safest way to store PHI? Cloud storage offers speed, flexibility, and storage benefits. But what about security? Can PHI be effectively secured and protected in the cloud? If you want to learn more, read this 2013 report by the Center for Democracy & technology about HIPAA compliance and cloud storage (Adobe PDF). The MIE breach highlights the risk. Time will tell if experts were correct. Time will tell if cloud-storage vendors can adequately protect electronic health records (EHR).

In my opinion: an epic fail is brewing. It seems that MIE has done, so far, the minimum with its post breach response. The efforts seem focused upon avoiding liability instead of helping affected patients. So far, MIE has failed to provide a satisfactory answer about when, how, and why it acquired my wife's electronic medical records. I look forward to more disclosures by MIE about exactly how hackers breached its system, and what it will do so this doesn't happen again.

During the next day or so, my wife and I will file a HIPAA complaint. I encourage other patients in similar situations to file complaints, too.

Did you receive a breach notice from MIE? What are your opinions of the MIE data breach and the company's response? Of the free ProtectMyID credit monitoring arranged by MIE? If you have used Concentra, what are your opinions of it?


FTC Alleged Lifelock Violated 2010 Settlement Agreement. Company Stock Price Plunged

Lifelock logo You've probably seen the advertisements on television. Lifelock provides identity protection services. Last week, the U.S. Federal Trade Commission (FTC) took action against Lifelock for allegedly violating the terms of its 2010 settlement. The FTC press release:

"... from at least October 2012 through March 2014, LifeLock violated the 2010 Order by: 1) failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers; 2) falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; and 3) failing to meet the 2010 order’s recordkeeping requirements... from at least January 2012 through December 2014, LifeLock falsely claimed it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem..."

The 2010 settlement resulted after FTC allegations that LifeLock used false claims to promote its identity theft protection services. The settlement stopped the company and its executives from making such claims, and required the company to take stronger measures to protect customers' personal information. The 2010 settlement included a $12 million payment for consumer refunds.

Todd Davis, Chairman and CEO, responded to the FTC allegations in Lifelock's blog:

"LifeLock has been up front and transparent that we have been in a dialogue with the Federal Trade Commission for more than 18 months. During this time, we have worked with agency staff and commissioners, striving to come to a satisfactory resolution. Despite our efforts, we were unable to do so. As a result of our unwillingness to agree to an unreasonable settlement, the agency has decided to litigate its claims. We disagree with the substance of the FTC’s contentions and are prepared to take our case to court."

The legal motions were filed under seal. Lifelock is based in Tempe, Arizona. AZCentral reported:

"LifeLock shares fell more than 49 percent after the FTC accused the company of violating terms of a 2010 settlement by continuing to deceive customers and failing to protect their data... Their assurances did little to stave such a massive sell-off of shares. Because of the plunge, the New York Stock Exchange was twice forced to suspend trading of LifeLock as the share price dropped from $16.05 to close at $8.15."

Consumer Reports reviewed the Lifelock service in 2013:

"The bottom line: Protect yourself for less. Monitor your financial statements and credit reports for suspicious activity that can lead to identity theft. If your credit cards are lost or stolen, you don’t need LifeLock to notify your financial institutions to cancel and replace them. If your Social Security number is out there, we suggest that you put a security freeze on your credit reports at the big three credit bureaus–Equifax, Experian, and TransUnion. That will prevent creditors from accessing your file if a crook tries to open a new account in your name... But there is usually no charge if you’re already a victim of ID theft. Credit bureaus consider credit- and debit-card theft as identity theft, so it should be easier for you to get free freezes."

Past pitch persons for Lifelock have included former prosecutor and New York City Mayor Rudy Giuliani, and radio personality Rush Limbaugh.

July 24 view of Rush Limbaugh site


What Breach Victims Need To Know About Target's Credit Monitoring Service Offer

Target Bullseye logoAt least 70 million shoppers were affected by the Target data breach. To help breach victims protect themselves, Target arranged free credit monitoring services by Experian. Is the credit monitoring service offered by Target a good deal? To answer this question it is important to understand the risks.

Protecting yourself is important. Doing nothing is not wise. According to Consumer Reports:

"As we reported last February, a whopping 22.5 percent of consumers who received notice of a security breach, like the one that occurred at Target, subsequently became victims of identity theft, according to a survey of 5,000 consumers by Javelin Strategy and Research, a California consulting firm that has studied this crime for more than 10 years."

To protect themselves, Consumer Reports advised breach victims to do four things:

  1. Contact the bank or issuer of your credit or debit card. Tell them that your payment information has been stolen. You can do this yourself for free. The phone numbers are on your monthly statements.
  2. Place a 90-day Fraud Alert on your credit reports at the three major credit-reporting agencies: Equifax, Experian, and TransUnion. You can do this yourself for free with a phone call to at least one of the three credit reporting agencies. (The other two agencies usually follow.) Target's web site contains contact information for all three credit reporting agencies. When lenders order credit reports that have a Fraud Alert on them, they are supposed to take steps to verify that the person applying for credit (or a loan) is the real person. You can easily renew a Fraud Alert after 90 days.
  3. For more protection, place a Security Freeze on your credit reports at each of the three major credit-reporting agencies. This will prevent criminals from taking out new credit or loans in your name (unless the criminals fraudulently order credit reports from smaller, regional credit reporting agencies). Fees vary by state. There are fees to place a Security Freeze on your credit report, to temporarily remove an existing Security Freeze, and to permanently remove a Security Freeze. You can do this yourself by following the instructions available at each credit-reporting agency's web site.
  4. If you shopped at Target with your debit card, then you probably should get a new debit card and account at your bank, since a stolen debit card provides thieves with direct access to your checking account. If your bank hasn't provided a replacement card and account, you can demand it. Yes, you will probably have to go through the hassle of re-establishing your online payment settings.

Breach victims can do the above four actions on their own, and do most of them for free. To learn more about the Fraud Alert and Security Freeze tools, you can read this comparison, the experiences of other consumers with Fraud Alerts, my experience with a Security Freeze, and select "Fraud Alert" in the tag cloud in the right column.

However, breach victims interested in monitoring their credit reports need to monitor their credit reports at all three major credit reporting agencies. Deseret News reported last week:

"... each of the three major credit bureaus — Equifax, TransUnion, and Experian — can collect different information. So unless you're checking all of them, you can miss someone trying to steal your identity and open new credit..."

So, it is important to understand this when evaluating Target's offer of free credit monitoring service by Experian. Breach victims also need to understand:

"The credit monitoring service offered by Experian is an ongoing review of your current credit history. If an identity thief opens a new account using your name and personal information, you will receive an alert by email or text message. What the free credit monitoring service through Experian does not do is to monitor transactions — the actual, day-to-day purchases made on your credit and debit cards. That is something you must do yourself."

Breach victims also need to understand (emphasis added):

"The type of free credit monitoring offered by Target monitors only one credit reporting agency — Experian — and not the credit history files maintained by Equifax and TransUnion. This a huge disadvantage... Once consumers enroll in the “free” credit monitoring service, they are enticed with an offer to purchase an Equifax and TransUnion credit report for up to $74 more to supplement the free report provided by Experian."

So, to monitor credit reports at all three major credit reporting agencies, breach victims must pay more. The next judgment breach victims need to make is whether Target's offer of 12 months is long enough.

During the past six years while writing this blog, I have observed plenty of data breaches. There is no magic that stops criminals from using stolen card information after 12 months. Criminals will use stolen card information as long as they think they can use it to commit fraud. Criminals resell stolen card information to other criminals. Breach victims that want coverage longer than 12 months must pay more.

Is Target's credit monitoring service offer a good deal? Each breach victim should decide for their self, as people's needs and situation vary. Some have experienced fraud while others haven't. Hopefully, this blog post has highlighted the considerations for breach victims.

My opinion: Target cut corners with it credit monitoring offer. The retailer should have provided a service that covers credit reports from all three credit reporting agencies and provides coverage for a longer period (e.g., ideally, five years). Target's offer seems like an attempt to do the minimum to protect itself, which shifts the cost burden of credit monitoring services onto its breach victims.

Is this fair? I think not, since the retailer created the problem on its own by failing to protect shoppers' financial payment information. Target's motto applies here, too:

"Expect More, Pay Less."

With Target's credit monitoring offer, breach victims get less and pay more. Target should also pay for breach victims' Security Freeze costs. Will the retailer do the right thing and live up to its motto?


JPMorgan Chase To Pay About $1 Billion in Fines To Settle Charges By Regulators

Consumer Financial Protection Bureau logo An earlier post reported that both the Consumer financial Protection Bureau (CFPB) and the Office Of The Comptroller Of The Currency (OCC) were considering fines for JPMorgan Chase, after allegations about how the bank sold identity theft protection services to credit card customers, and collected past-due bills from customers. The two agencies had investigated together the allegations. Late last week, several agencies concluded their investigations and announced both settlements and fines with the bank.

First, the CFPB announced that it had ordered:

"... Chase Bank USA, N.A. and JPMorgan Chase Bank, N.A. to refund an estimated $309 million to more than 2.1 million customers for illegal credit card practices... Chase enrolled consumers in credit card “add-on” products that promised to monitor customer credit and alert consumers to potentially fraudulent activity. In order for consumers to obtain credit monitoring services, consumers generally must provide written authorization. Chase, however, charged many consumers for these products without or before having the written authorization necessary to perform the monitoring services. Chase charged customers as soon as they enrolled in these products even if they were not actually receiving the services yet."

So, the bank charge customers for services the customers never authorized. And, there is more. The bank also unfairly charged fees and interest:

"... The unfair monthly fees that customers were charged sometimes resulted in customers exceeding their credit card account limits, which lead to additional fees for the customers. Some consumers also paid interest charges on the fees for services that were never received."

And, the bank didn't deliver the services promised:

"... Consumers were under the impression that their credit was being monitored for fraud and identity theft, when, in fact, these services were either not being performed at all, or were only partially performed."

All of this happened from October 2005 to June 2012. the order requires Chase to:

  1. Stop unfair billing practices
  2. Fully refund, with interest, the 2 million consumers who enrolled in credit monitoring services, charged for these services, and did not receive the services promised. The bank must also refund any interest and over-the-limit fees charged. This refund is estimated at $309 million.
  3. Consumers should have received refunded by November 30, 2012. Chase credit card holders should have received a credit to their accounts. Former card holders should have received checks.
  4. The bank must submit to an independent audit to ensure compliance with the CFPB order.
  5. The bank must also strengthen its management of third-party vendors that provide any credit monitoring services.
  6. The bank will pay a $20 million penalty payment to the CFPB’s Civil Penalty Fund.

Second, the OCC announced that it had levied a separate $60 million fine against JPMorgan Chase and Chase Bank USA:

"The OCC found that the bank’s billing practices violated Section 5 of the Federal Trade Commission (FTC) Act, 15 U.S.C. § 45(a)(1), which prohibits unfair and deceptive acts or practices. The $60 million civil money penalty reflects a number of factors, including the scope and duration of the violations and financial harm to consumers from the unfair practices. The penalty will be paid to the U.S. Treasury."

Securities and Exchange Commission seal Third, the Securities and Exchange Commission (SEC) announced several charges against the bank and a settlement agreement with the bank:

"JPMorgan has agreed to settle the SEC’s charges by paying a $200 million penalty, admitting the facts underlying the SEC’s charges, and publicly acknowledging that it violated the federal securities laws."

This is noteworthy also because, as part of the settlement, the bank will admit to facts that led to the wrongdoing. Sadly, most settlement agreements don't require the defendant to admit to any wrongdoing. The SEC had charged JPMorgan Chase with:

"... with misstating financial results and lacking effective internal controls to detect and prevent its traders from fraudulently overvaluing investments to conceal hundreds of millions of dollars in trading losses."

As part of the settlement agreement, the bank will admit to the following facts that led to the wrongdoing:

"The trading losses occurred against a backdrop of woefully deficient accounting controls in the CIO, including spreadsheet miscalculations that caused large valuation errors and the use of subjective valuation techniques that made it easier for the traders to mismark the CIO portfolio."

"JPMorgan senior management personally rewrote the CIO’s valuation control policies before the firm filed with the SEC its first quarter report for 2012 in order to address the many deficiencies in existing policies."

"By late April 2012, JPMorgan senior management knew that the firm’s Investment Banking unit used far more conservative prices when valuing the same kind of derivatives held in the CIO portfolio, and that applying the Investment Bank valuations would have led to approximately $750 million in additional losses for the CIO in the first quarter of 2012."

"External counterparties who traded with CIO had valued certain positions in the CIO book at $500 million less than the CIO traders did, precipitating large collateral calls against JPMorgan."

"As a result of the findings of certain internal reviews of the CIO, some executives expressed reservations about signing sub-certifications supporting the CEO and CFO certifications required under the Sarbanes-Oxley Act."

"Senior management failed to adequately update the audit committee on these and other important facts concerning the CIO before the firm filed its first quarter report for 2012."

"Deprived of access to these facts, the audit committee was hindered in its ability to discharge its obligations to oversee management on behalf of shareholders and to ensure the accuracy of the firm’s financial statements."

The CIO is the Chief Investment Office within the bank. George S. Canellos, Co-Director of the Division of Enforcement at the SEC said:

“While grappling with how to fix its internal control breakdowns, JPMorgan’s senior management broke a cardinal rule of corporate governance and deprived its board of critical information it needed to fully assess the company’s problems and determine whether accurate and reliable information was being disclosed to investors and regulators.”

The SEC coordinated its global investigations and actions with the U.K. Financial Conduct Authority, the Federal Reserve, and the OCC.The U.K. Financial Conduct Authority announced that it fined JPMorgan Chase:

"... £137,610,000 ($220 million) for serious failings related to its Chief Investment Office (CIO). JPMorgan’s conduct demonstrated flaws permeating all levels of the firm: from portfolio level right up to senior management, resulting in breaches of Principles 2, 3, 5 and 11 of the FCA’s Principles for Businesses - the fundamental obligations firms have under the regulatory system.The breaches occurred in connection with the $6.2 billion trading losses sustained by CIO in 2012... known as the “London Whale” trades, and were caused by a high risk trading strategy, weak management of that trading and an inadequate response..."

The SEC announcement said that JPMorgan will pay about $920 million total in penalties to the four agencies.

I applaud the agencies for their coordinated, global actions. Because banks and corporations operate globally, enforcement agencies must work smartly and cooperate globally. I commend the agencies for a settlement agreement where the defendant admits to facts that led to wrongdoing.

I commend the agencies for the fines, but I wish the fines were far greater. All of this wrongoding at JPMorgan Chase seems consistent with research that found younger bankers have accepted wrongdoing as a necessary evil to succeed. Bankers globally have a severe ethics problem. As former Secretary of Labor Robert Reich commented recently on Twitter.com about the effectiveness of fines to prevent banking abuses:

"Fines effective only if risk of being caught x probability of being prosecuted x amount of fine > profits to be made."

I agree with that assessment 1,000 percent. The outstanding questions I have:

  1. Who is going to jail as a result of violating federal securities laws?
  2. What actions (e.g., discipline, firings) will the bank's board of directors taking against senior management that participated in the wrongdoing?
  3. Since wrongdoing occurred at all levels within the bank, what corrective actions -- beyond the settlement agreements -- will the bank take to change banking culture (e.g., teach and reinforce ethics since many bankers fear retaliation) to prevent future wrongdoing?

A new corporate code of ethics is not enough. Not even close.


Regulators Prepare Fines For JPMorgan Chase

Just before the long holiday weekend, the New York Times reported about possible fines for the bank, JPMorgan Chase. The possible fines result from investigations by the Consumer financial Protection Bureau (CFPB) and the Office Of The Comptroller Of The Currency (OCC) into allegations about how the bank sold identity theft protection services to credit card customers, and collected past-due bills from customers.

According to the newspaper:

"The most costly cases for JPMorgan center on concerns that the bank duped its credit card customers into buying products pitched as a way to shield them from identity theft. In separate actions reflecting their varied jurisdictions, the consumer bureau will levy a roughly $20 million fine, while the comptroller’s office is expected to extract about $60 million... In a public filing this month, JPMorgan disclosed to investors a bevy of pending investigations from federal authorities scrutinizing the bank’s financial crisis-era mortgage business and its multi-billion-dollar trading loss in London last year..."

In his Twitter feed, former Secretary of Labor Robert Reich commented about the effectiveness of fines to prevent banking abuses:

"Fines effective only if risk of being caught x probability of being prosecuted x amount of fine > profits to be made."

I agree with that assessment 1,000 percent.


Class Action Settlement Proceeds With Bank Of America Credit Protection Service Customers

Back in August 2012, Bank of America agreed to pay $20 million to settle a class-action lawsuit about alleged deceptive marketing with its credit protection services. Also in August, the bank announced that it had decided to independently stop accepting new customers for its credit protection services and to terminate its credit protection services in 2013.

Recently, a relative received the postcard below from Gilardi & Company LLC, the administrator for the class-action settlement. Because the reply mechanism with the postcard asked for sensitive personal information, that relative asked me to investigate:

Settlement notification postcard side 1

Settlement notification postcard side 2

Gilardi has set up www.creditprotectionsettlement.com for consumers who subscribed to a credit protection service from Bank of America between January 1, 2006 and July 17, 2012. You may be eligible for a payment, which could be $50 or $100 depending upon your situation. You must submit a claim to receive payment. Key upcoming deadline dates:

  • December 13, 2012 to opt out of the settlement agreement
  • December 13, 2012 to submit objections about why you do not like the settlement agreement
  • January 14, 2013: Fairness Hearing
  • February 26, 2013 to submit a claim

Class Action Settlement For Users Of Identity Protection Services With Discover Financial Services

Discover Financial Services Last week, I received a notice from Discover Financial Services about a class-action settlement offer for consumers who used one a Discover identity protection service:

"If you were enrolled in or billed for Discover Payment Protection, AccountGuard, Identity Theft Protection, Profile Protect, Wallet Protection, The Register and/or Credit Score Tracker between January 21, 2004 and November 9, 2011, this notice describes your rights in connection with a settlement of a lawsuit and your potential recovery."

The settlement combines class-action lawsuits in several states which claimed that Discover Financial Services used improper marketing, enrollment, and pricing practices:

  • Walker v. Discover Financial Services et al (N.D. III Case No. 10-cv-06994-JWD)
  • Callahan v. Discover Financial Services et al (N.D. III Case No. 1:10-cv-07181-JWD)
  • Alexander v. Discover Financial Services et al (D.S.C. Case No. 7:10-cv-02754-HMH)
  • Sack v. DFS Services LLC et al (W.D. Tenn. Case No. 2:10-cv-02906-JPM)
  • Boyce v. DFS Services LLC (E.D. Pa. Case No. 2:11-cv-00265-LDD)
  • Conroy v. Discover Financial Services et al (C.D. Cal. Case No. 2:10-cv-5260-MMM-E)
  • Triplett v. Discover Financial Services, Inc. et al (S.D. Fla. Case No. 1:11-cv-20519-AJ)
  • Carter v. Discover Financial Services, Inc. et al (E.D. Pa. Case No. 2:11-cv-01656-BMS)

Discover has agreed to set up a settlement $10.5 million fund. If you want to learn more, read the settlement offer details, file a claim, or exclude yourself from this settlement, visit the WalkerSettlement.com website, or contact the Settlement Administrator:

Settlement Administrator
Walker Settlement
P.O. Box 8023
Faribault, MN 55021-9423
Phone: (866) 944-5034

Claims must be filed by June 6, 2012. Exclusion requests and settlement objections must be received by March 23, 2012.

In April 2008, I discussed in this blog my experiences with the Discover Identity Theft Protection service. In September 2011, Javelin Strategy & Research rated Discover's identity fraud resolution services highly in its Seventh Annual Card Issuer's Safety Scorecard. The study evaluated the top 23 card issuers according to three categories: identity fraud prevention, detection and resolution.

The press releases section at the Discover website did not mention the Walker Settlement.


Sony Used Obsolete Data Security Software; Debix Offered

On Friday, eWeek reported that the massive Sony Playstation Network data breach could have been avoided if Sony had used basic online data security measures:

"Sony failed to use firewalls to protect its networks and was using obsolete Web applications, which made the company’s sites inviting targets for hackers, a Purdue University professor testified May 4 to a Congressional committee..."

Consumer Reports reported much of the same:

"In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers—and knew about it months in advance of the recent security breaches..."

Between the two Sony PSN and SOE breaches, about 102 million consumers worldwide have been affected. Sony has arranged for 12 months of complimentary credit monitoring service via Debix for breach victims in the United States. Sony is currently notifying breach victims of the June 18 deadline to enroll in the Debix AllClear ID Plus program. Sony has not disclosed the number of breach victims in the United States, nor what credit monitoring service will be offered to breach victims outside the United States.

This past week, Congress held hearings about the Sony and Epsilon data breaches. In a letter from Sony to the U.S. Congress, the company stated that it had experienced a Distributed Denial of Service (DDoS) attack before the data breaches. Sony claimed that this DDoS attack and the sopistication of the data breach made breach detection difficult to spot. When I read this, it sounded like Sony could not walk and chew gum at the same time. I expect much more from a multi-billion dollar corporation.

A response from Congressional Representative Mary Bono Mack (Republican - California), Chairman of the House Subcommittee on Commerce, Manufacturing and Trade, included this:

"Like their customers, both Sony and Epsilon are victims, too. But they also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits enter. E-commerce is a vital and growing part of our economy... these latest cyber attacks, they serve as a reminder – as well as a wake-up call – that all companies have a responsibility to protect personal information and to promptly notify consumers when that information has been put at risk..."

I view Mack's statement as too mild when the scope and severity of the breaches demand a stronger response. Mack could have emphasized more than just the need for fast breach notification of consumers. Consumers didn't cause this breach. While fast notificaton helps consumers somewhat, the best solution -- breach prevention -- lies with the corporation.

Massive breaches like Sony's will continue as long as companies act fast, loose, and sloppy with data security of consumers' sensitive personal data. Massive breaches like this will continue as long as the costs to upgrade data security outweigh the costs of any penalties. There have to be penalties for companies that repeatedly experience data breaches, and/or use obsolete data security software and methods.

It appears that in Sony's case, the company's sloppy data security made it easy for criminals to steal sensitive consumer information. 12 months of free credit monitoring is not enough, because the threat of criminals using stolen identity and bank data doesn't magically stop after 12 months. 5 or 10 years of complimentary credit monitoring service would be better. And, the cost of providing breach victims with free credit monitoring services is small compared to other post-breach expenses.

When companies offer a short, 12-month period of free credit monitoring, that effectively transfers the burden -- time and money -- to consumers from month 13 on. Even though consumers didn't cause this breach, consumers end up spending time and money long-term to monitor and protect their accounts long after the free credit monitoring period has ended.

What do you think?


Nearly 1 Million Lifelock Customers To Receive Checks From The FTC

Well, this press release says it all. Last Thursday, the U.S. Federal Trade Commission (FTC) announced in a press release that it is mailing refund checks to victims of Lifelock's allegedly false marketing claims:

"In March 2010, FTC Chairman Jon Leibowitz announced that LifeLock had agreed to pay $11 million to the FTC and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the company’s CEO’s Social Security number on the side of a truck. The FTC charged that LifeLock provided less protection against identity theft than promised and made claims about its own data security that were not true. Consumers who signed up for LifeLock’s services based on those false claims will now be receiving refund checks."

Celebrities including Rush Limbaugh and Montel Williams promoted Lifelock's services. Consumer Reports reviewed Lifelock's services. In 2008, Experian sued Lifelock about the placement of Fraud Alerts, and in 2009 a California District court ruled in Experian's favor.

About 957,928 consumers will receive checks for $10.87 each. This will be the entire and only distribution to eligible consumers. If you have questions about eligibility, contact the administrator toll-free at 1-888-288-0783, or visit www.ftc.gov/refunds.


A Review of Bank of America PrivacySource

A couple weeks ago, I received a letter from Bank of America via postal mail:

"Records Request
Please Review Important information Below
Please Reply Within: 14 Days"

"THIS NOTICE IS REQUIRED BY LAW
You have the right to a free credit report from AnnualCreditreport.com or 877-322-8228, the ONLY authorized source under federal law."

"Complimentary Credit report and Credit Score -- Your signature is required to try the Bank of America PrivacySource(®) at no cost for 30 days so you can receive delivery of your Compiled Credit Portfolio. your benefits will include the following:
1. Your Complimentary Triple-Bureau Credit Report
2. Your Complimentary Triple-Bureau Credit Score
3. Daily Monitoring notifications"

I had not heard of the PrivacySource service before. I had heard of the PrivacyAssist credit monitoring service from BofA, and reviewed it in this blog. Inside the BofA PrivacySource envelope was a single sheet of paper with this offer and a return envelope. I read the entire offer letter looking for a website address. When I receive an offer like this, I expect the offer letter to provide a website address so I can learn more. Surprisingly, the offer letter didn't mention a website: neither a BofA website nor a PrivacySource website. Not good.

I then performed a few Google searches for PrivacySource which turned up this BofA page. I followed the PrivacySource link at the page bottom, and then entered my state on the next page. The problem: the BofA site redirected to a Privacy Assist page which didn't mention anything about PrivacySource. This was confusing and frustrating. Maybe PrivacySource is replacing BofA's PrivacyAssist credit monitoring service. Or maybe PrivacySource isn't available in my state. The BofA website didn't say. Not good.

After some more searching, I found a page at the CreditReportCamp.com site which mentioned the website address for Privacy Source: PrivacySource.Bankofamerica.com. It should not be this hard to find a website address. Whoever built the BofA PrivacySource website failed miserably at SEO. BofA should have listed the website address in the offer letter. And, the BofA website should have linked me directly to it.

But, back to the offer letter. Part of the way down the page, the letter included some important information:

"By signing this form you are authorzing a debit from your Bank of America checking account to the amount of $12.99 per month for a membership in the Bank of America PrivacySource (®) service unless you cancel within the 30_Day Trial Offer period.

That told me a lot. PrivacySource is a credit monitoring service. The offer was similar to offers I've seen before from FreeScore.com and the major credit reporting agencies, except there were two freebies: a "Triple-Bureau Credit Report" and a "Triple-Bureau Credit Score." That sounded nice.

Like most people, I like free things. But, what is a Triple-Bureau Credit Report, and what does it look like? Is it a summary, or does it provide the same details as a credit report from Experian, Equifax, or TransUnion? The offer letter didn't say. Nor did it include an example report. It's hard to evaluate an offer when the service doesn't provide an example report. Not good.

I also wanted to know what a "Triple-Bureau Credit Score" is. Is it the same as a FICO credit score? Or is it a VantageScore? There are several different brands of credit scores available, and I want to know what I am buying. The offer letter didn't say. Nor did it provide a sample score. Not good.

Near the bottom of the offer letter, there was this important information in tiny type:

"By signing this form, you authorize bank of America to share your Social Security Number with Trilegiant, the service provider of the Bank of America PrivacySource service, and authorize Trilegiant and its credit information providers, which may include First Advantage Credco and FAMS, to obtain and monitor your credit files and information from the credit reporting agencies..."

Well, that said a lot. Trilegiant operates the credit monitoring service for BofA under the brand name PrivacySource. I know a little about Trilegiant as I wrote briefly about it previously in this blog. And, Trilegiant was involved in 2008 in at least one class-action lawsuit, which the company settled for $25 million:

"Trilegiant, a subsidiary of Cendant Corp., has also been the target of actions by attorneys general in California, Connecticut and Florida. In 2006, it settled charges brought by 16 states alleging that Trilegiant and Chase Bank had deceived consumers into paying for membership programs."

This is the best vendor BofA could find for its credit monitoring service? More troubling are the recent consumer complaints about Trilegiant.

But let's get back to the BofA PrivacySource offer letter. The language of this authorization troubles me... particularly the "may include" phrase. It essentially says that BofA through Trilegiant will share my sensitive personal information with other companies and doesn't name all of companies, only a couple of possibilities. That is partial and insufficient disclosure to me. Not good.

And, who is First Advantage Credco? And FAMS? I did a little searching and found this First Advantage Credco profile on LinkedIn.com. The company's official website is credco.com, and it appears to be in the midst of a name change to CoreLogic. CoreLogic Credco appears to collect and data mine consumer information, with perhaps an attempt to enter the credit report marketplace.

I have not been able to determine who FAMS is. If you know, please share a description and website link in the comments section below.

About the PrivacySource website, to its credit the site does provide sample credit reports and credit scores. I compared the reports to actual credit reports I already have from Experian, Equifax, and TransUnion. The PrivacySource credit reports look like summaries. To adequately manage my finances, I need the real thing -- not summaries.

Consumers who visit the PrivacySource website should read the service's Terms and Conditions. This is important to understand what you get for $12.99 per month. You get a credit monitoring service and no credit resolution services. If you are the victim of identity theft and fraud, you'll need both services-- you'll need resolution service to help you communicate with various companies, lenders, and government agencies to fix your credit and all affected financial records.

PrivacySource uses CreditXpert Credit Scores (TM) from CreditXpert.com. Consumers should be aware that this is a different credit score brand. It is not the same as FICO from the Fair Isaac Corporation. The My ID Alert service from Capital One also uses CreditXpert Credit Scores.

If you have the time, you might compare PrivacySource and PrivacyGuard.com, Trilegiant's credit monitoring service. I didn't bother comparing the two sites because I'd already made up my mind about PrivacySource. First impressions are important. The PrivacySource offer letter was underwhelming and the site was difficult to find.

Is BofA PrivacySource for you? Only you can make that decision. It's not for me. Why? First, the letter didn't contain enough information for me to to make a decision, and it didn't include the service website. Second, the difficulty I encountered with finding the PrivacySource website gave me the impression that if the company can't do that well, the actual service is probably problematic, too.

Third, the sample credit reports seemed like summaries and not the full detail. Fourth, I prefer a comprehensive service that includes both credit monitoring and resolution services. Fifth, there are more comprehensive services that also help with medical identity theft and fraud.

If you already signed up for PrivacySource, please share your experience below. I've Been Mugged readers would love to hear your experiences, good and bad. If you have experiences with FAMS and/or First Advantage Credco, we'd like to hear about that too.


Identity Protection Advice For Consumers When On Vacation

Intersections, the provider of Identity Guard and several credit monitor services for big banks, and the Identity Theft Assistance Center (ITAC) advise consumers to take several precautions to protect their identity information, bank, and financial accounts when traveling on vacation. To guard against home burglary:

"... before you leave: Have your mail collected or held at the Post Office, ideally have someone visit and turn lights on and off, and do not leave financial documents lying in plain view."

While traveling on vacation:

"If you need to access your email from cyber cafe or other establishment, limit your access, avoid entering any passwords to your personal financial accounts, and be sure to log off when you are finished with your session."

Advice I would add to this: use Private Browsing or clear the cache and browser history when you are finished. Perhaps, more importantly while traveling:

"Try to avoid "tweeting" or blogging about your travel plans or talking about them on social networking sites like Twitter, Facebook and MySpace. Thieves may use this information to target empty homes.

I prefer to post messages after I have returned home. You make believe that all of your friends are trustworthy, but remember that a thieves may impersonate one of your friends online after hacking an email account. My favorite tip whether you are traveling or not:

"If browsing the Internet with a wireless connection, do not assume public "hot spots" are secure. Ensure you are using encryption to scramble communications over a network."

Identity criminals and hackers target hotels because their customers are a rich source of credit card information. Wyndham Hotels had three breaches during the past year. Intersections and ITAC advise consumers while traveling on vacation:

"If you're staying at a hotel or motel and receive a call from the reception desk asking that you confirm a credit card number, tell them you'll provide the information at the front desk instead. The call could easily be a random one from outside the hotel."

Prior posts have discussed whether or not it is better or safer to shop with credit cards versus debit cards. I shop only with my credit cards: at home and while traveling. Intersections and ITAC advise consumers while traveling on vacation:

"Bring as few credit cards as possible and ideally carry just one with you and keep a backup card in the hotel safe. Bring a copy of the emergency contact numbers for your credit cards and bank accounts in case they're lost or stolen. It is recommended that travelers do not use their debit cards while on vacation to further protect their checking accounts.... Use cash or travelers checks wherever possible to minimize the risk of credit card fraud or overcharging (this can also help avoid costly exchange fees if you're traveling abroad)."

To learn more about Intersections, read these credit monitoring service reviews:


My ID Alert From Capital One (Product Review)

A few days ago, a representative from Capital One Bank, where I have a credit card account, called me at home about identity theft. The representative was polite and asked if I knew much about the increasing risks of identity theft. Her solution was to sign me up to My ID Alert, a credit monitoring services offered jointly by Capital One Bank and Intersections, Inc..

I listened to her pitch and thanked her for the call. I asked if My ID Alert included medical identity theft coverage. She said it didn't and she didn't know much about that. I mentioned that this was important to me since I am interested in a comprehensive identity protection service that includes credit monitoring, public records monitoring, and medical identity theft protections.

Plus, I was not about to sign up for any credit monitoring service over the phone without, a) understanding what specific services are included in the monthly fee, and b) reviewing the contract terms and conditions. Since writing this blog, I have learned that the important stuff is always listed in the contract terms of a credit monitoring service. If it's not in that document, then it's not provided.

I visited the My ID Alert website to learn more. I had encountered Intersections previously in 2007 when reviewing the Bank of America's Privacy Assist credit monitoring service. A review of My ID Alert would be a good follow-up to see if Capital One negotiated an improved service with new features. The My ID Alert main page:

The My ID Alert credit monitoring service home page

The site was well organized and easy to read. Consumers can quickly find the major features of the service. For $12.99 monthly, subscribers get:

  • Unlimited access to valuable credit tools and your credit score
  • Daily monitoring of your credit files at all 3 credit bureaus
  • Up to $50,000 identity theft insurance with no deductible and at no extra cost

It was easy for me to find and read the website Privacy Policy. It explained that the site uses HTTP browser cookies, but it didn't mention whether or not it uses Flash Cookies. The website probably uses Flash Cookies (a/k/a Local Shared Objects) since it mentions that it works with unnamed third parties.

It was tricky to find the contract terms. First, click the "Enroll Now" button on the home page. On the "Order Form: Step 1" page, there are two links you'll want to use. The first link, "more info," is next to ID Alert and it provides access to summary information in a pop-up window:

The My ID Alert order form page, step 1

The second and more important link, "Print and Review Terms of Use," is further down the page and provides access to the contract terms:

The link to the contract terms on the My ID Alert order form page

Both links should be more accessible to users, ideally on the home page, the FAQ page, and the Privacy Policy page. The contract terms contain critical information consumers need to evaluate the service. It shouldn't be this hard to find important information.

It is important to note that Capital One already sells a credit monitoring service by Intersections: CreditInform Premier. The My ID Alert website didn't mention this, nor did it provide a comparison. So, I developed this brief comparison:

ItemCreditInform PremierMy ID Alert
Unlimited access to credit tools and
credit score
Yes
Yes
Quarterly Notification / credit updatesYesYes
Insurance$20,000$50,000
Notify Express. Includes:
  • Inquiries to your credit files
  • New accounts opened
  • New public records
  • Address changes
  • Changes to public records
  • Changes to account
    information
Yes. Based on Experian
credit report only
No
Credit Score ( From CreditXpert, Inc.
which is not a FICO score)
YesYes
Monthly fee$8.99$12.99

Then, I read the contract terms more closes and noted some important language about the credit score provided (links added for improved readability):

"Any credit score provided as part of the Service is provided by CreditXpert products. The information used by CreditXpert products is derived from one or more credit reports produced by the major credit reporting agencies, also called credit bureaus... CreditXpert Credit Scores(TM) are provided to help users better understand how lenders evaluate consumer credit reports. Lenders may use a different score to evaluate a person's creditworthiness... Also, CreditXpert Inc. is not connected in any way to Fair Isaac Corporation; the CreditXpert Credit Score is not a so-called FICO(®) score. CreditXpert Inc. does not represent that CreditXpert Credit Scores are identical or similar to any specific credit scores produced by any other company."

I have not heard of CreditXpert before. And, like most consumers I thought that FICO was the only source of credit scores. This is an important disclosure since potential lenders may treat different brands of credit scores differently.

I have not done an analysis of the difference between a credit score from FICO versus CreditXpert. Perhaps a reader has and will add a comment below. So, I can't state what the impact might be on a consumer's credit worthiness. Consumers wanting to purchase a FICO-brand credit score may want to look elsewhere. The website didn't present any testimonials from My ID Alert customers, a helpful feature that could have addressed concerns about the credit score source.

One indicator I use to judge a company responsiveness to consumers' needs is whether or not the service has built pages on social networking sites like Facebook, Twitter, and Youtube. These are often a rich source of customer opinions and consumer testimonials, if the service does not have a blog site.

I searched and didn't find a My ID Alert page on Facebook, Twitter, or Youtube. This makes me wonder how serious executives at Capital One and Intersections are about reaching consumers. You have to fish where the fish are.

I also browsed the My ID Alert service looking for evidence it offers real-time alerts via e-mail or text messaging. To help me monitor my financial accounts, my bank offers this where I set the threshold amount to trigger an e-mail alert 24/7. The sooner I can discover fraudulent activity, the less money I am likely to lose. So, I look for this in a credit monitoring service. I couldn't find any evidence in the My ID Alert website about whether it offers real-time alerts. So, I assume no.

Should you sign up for My ID Alert? To me, it is a starter credit monitoring service... it is an option for a person who is just learning about identity theft and wants basic coverage. Each consumer's situation is slightly different, so it is always wise to shop around. For example, parents may seek a service that covers several family members. I've reviewed several credit monitoring service in this blog.

As I mentioned above, I seek an identity protection service that is comprehensive... that includes credit monitoring, public records monitoring, and medical identity theft protections. I want the convenience of subscribing to a single service... one-stop shopping.

The MY ID Alert service doesn't fit my identity protection needs. And, its price seems high. Yes, you get more insurance but you don't get the Notify Express feature Capital One offers in CreditInform Premier. And, the service Capital One negotiated with Intersections didn't seem much different from Bank of America's offering when I last reviewed it.

What do you think? If you use or have used My ID Alert, please share your experiences. We'd love to hear them.


AvMed Breach Affects 1.2 Million Florida Residents

A data breach in December 2009 at AvMed Health Plans included the theft of the Social Security numbers, names, addresses, birth dates, and health records of both current and former AvMed subscribers. Two laptop computers containing the records were stolen from the company's Gainesville office in December.

360,000 breach victims were notified in February and on June 3 the company announced that it is notifying an additional 860,000 breach victims. AvMed is offering breach victims two years of free credit monitoring service with the Debix Identity Protection Network. Breach victims requiring more information can visit the AvMed website contact Debix at 1-877-441-3004 (TTY: 877-442-8633). Breach victims that want the Debix coverage must register.

Breach victims should visit the Florida Attorney General' website for more information about identity theft and steps to take if their medical or personal information is used fraudulently by criminals. The Florida AG advises victims of fraud to:

  1. Report the incident to the fraud department of the three major credit bureaus
  2. Contact the fraud department of each of your creditors
  3. Contact your bank or financial institution
  4. Report the incident to law enforcement

Breach victims can get a free copy of their credit reports from the three credit bureaus at AnnualCreditReport.com. Since this breach involves medical information, breach victims should obtain a copy of their medical records from their AvMed physician and review it for fraudulent entries.

After a data breach with 1.5 million records stolen, in 2009 Health Net selected Debix as the complimentary credit monitoring service for its breach victims.

Is the health care industry doing a good job at protecting patients' medical information? I think not. Data breaches at health care companies are more common than many consumers and patients realize.

According to the Privacy Rights Clearinghouse, recent health care breaches:

  • June 2010: Safe Harbor Med Santa Cruz, California)
  • May 2010: Aetna (South Windsor, Connecticut)
  • May 2010: Loma Linda University Medical Center (Loma Linda, California)
  • May 2010: New Mexico Medicaid (Santa Fe, New Mexico)
  • May 2010: Millennium Medical Management Resources (Westmont, Illinois)
  • April 2010: St. Jude Heritage Medical Group (Orange, California)
  • April 2010: The Medical Center (Bowling Green, Kentucky)
  • April 2010: Hutcheson Medical Center and one other medical facility (Chattanooga, Tennessee)
  • April 2010: DRC Physical Therapy Plus (Monticello, New York)
  • April 2010: Affinity Health Plan (Bronx, New York)
  • April 2010: Massachusetts Eye and Ear Infirmary (Boston, Massachusetts)
  • April 2010: Brooke Army Medical Center (San Antonio, Texas)
  • April 2010: St. Peter's Hospital (Albany, New York)
  • April 2010: Virginia Beach Dept. of Social Services (Virginia Beach, Virginia)
  • April 2010: ManorCare Health Services (Wheaton, Maryland)
  • April 2010: St. Francis Hospital (Tulsa, Oklahoma)
  • April 2010: Providence Hospital (Southfield, Michigan)
  • April 2010: John Muir Physician Network (Walnut Creek, California)
  • March 2010: Northwestern Medical Faculty Foundation (Chicago, Illinois)
  • March 2010: University of Calgary Sunridge Medical Clinic (Calgary, California)
  • March 2010: Atlanta Veterans Affairs Medical Center (Atlanta, Georgia)
  • March 2010: UT Southwestern Medical Center (Dallas, Texas)
  • March 2010: The Open Door Clinic of Greater Elgin (Elgin, Illinois)

Whenever I read about a large breach including laptop computers, I wonder why firms and their employees insist on storing so many records on a single computer. It raises the question about whether AvMed properly trained its employees with effective data security practices.

I read AvMed's February and June press releases. Neither press release mentioned whether or not the stolen information was encrypted. Breach victims have to assume the worst: nothing was encrypted. This makes one wonder why the company didn't encrypt sensitive information.

And while the company claims that the risk of identity fraud is low, the fact is that using the types of information stolen, criminals can assume breach victims' identities, apply for credit in breach victims' names, and apply for health care fraudulently using breach victims' medical information.


Poll: Readers' Attitudes About Offshore Outsourcing

Over the past few months, I ran an informal poll on this blog asking readers about their attitudes toward offshore outsourcing. While corporations are good at assembling resources and products from various geographic areas to deliver low-priced goods to consumers, a seldom discussed aspect is that corporations also transmit customers' sensitive information between offices and vendors in several countries.

Consumers are well aware of offshore outsourcing when they talk with a customer service representative who clearly has an accent and is located in another country. Many offshore outsourcing activities are hidden from consumers and customers when those activities are performed in back-office or support operations. I explored in a four-part blog series the issues with offshore outsourcing by the major credit reporting agencies. For example, when consumers submit via paper corrections to their credit reports, those corrections are often entered by staff or vendors located in other countries.

With all of this in mind, I asked I've been Mugged readers to select the statement which best describes their attitudes about offshore outsourcing and consumers' credit information. Here are there responses:

  • 14% of respondents felt that companies should not perform offshore outsourcing under any circumstances
  • An equal number (14%) felt that offshore outsourcing is okay generally, but shouldn't be used for financial and credit information
  • The greatest number of respondents (36%) felt that companies should notify customers if they perform offshore outsourcing and customers should have a choice to opt-out
  • Far fewer respondents (9%) felt that companies should notify customers if the company's offshore outsourcing includes customers' sensitive data
  • 18% of respondents felt that U.S. Congress needs to do more about offshore outsourcing (e.g., legislation for oversight, auditing, data breach notification, etc.)
  • 5% felt that credit monitoring services shouldn't perform offshore outsourcing
  • 5% don't care whether companies perform offshore outsourcing or not

What to make of these results? First, this was an informal poll. So, it captured the opinions of only I've been Mugged blog readers. Readers of this blog are consumers who have been affected by identity theft, fraud with bank accounts, fraud with their credit reports, and/or data breach victims.

So, the readership of this blog is somewhat of a self-selecting group that has an interest and knowledge about privacy and their sensitive personal information. For the results to be applicable to the entire U.S. population, the survey participants should have included a random selection from the broader U.S. population.

Second, I believe these results are directional in that consumers want to be informed and want control over their sensitive personal information. It was not surprising to me that the greatest number of respondents (36%) felt that companies should both notify customers if they perform offshore outsourcing and provide their customers with an opt-out mechanism.

This indicates that consumers want to be notified and want control over who has access to their sensitive personal information. The company-customer relationship is built on trust. This sensitive customer information It is not for corporate executives to treat as if it is theirs alone.

Like it or not, companies will have to recognize and deal with this reality.