30 posts categorized "IBM" Feed

Amid Accusations of Age Bias, IBM Winds Down a Push for Millennial Workers

[Editor's note: today's post, by reporters at ProPublica, updates a prior post about corporate hiring. A data breach in 2007 at IBM resulted in the creation of this blog. Today's post is reprinted with permission.]

By Peter Gosselin and Ariana Tobin, ProPublica

IBM logo Faced with a mounting pile of lawsuits accusing it of age discrimination — the latest, a class action, was filed this week in federal district court in New York — tech giant IBM appears to be winding down its Millennial Corps, an internal network of young employees that’s been cited in several legal complaints as evidence of the company’s bias toward younger workers.

ProPublica reported in March that IBM, which had annual revenue of $79 billion in 2017, had ousted an estimated 20,000 U.S. employees ages 40 or older in the past five years, in some instances using money saved from the departures to hire young replacements to, in the words of an internal company document, “correct seniority mix.”

IBM deployed several strategies to attract younger workers, establishing a digital platform catering to millennials, a blog called “The Millennial Experience,” a Twitter account, @IBMillennial, as well as creating the Millennial Corps, whose members company executives pledged to consult about major business moves. The Corps was featured in a 2016 FastCompany piece titled “These Millennials Have Become the Top Decision Makers at IBM.”

But company sources said this week that the internal millennial platform has had almost no entries in recent months and the only posting on the blog dates from at least a year ago. There have been no recent tweets from @IBMillennial. At least one of the Millennial Corps founders quoted in the FastCompany story about the network has left the company, as have several of those listed as Millennial Corps “ambassadors” on the internal platform.

An IBM spokesman did not respond to questions on the status of the Millennial Corps.

The class action was filed Monday on behalf of three former IBM employees who say the company discriminated against them based on their age by ousting them from their jobs and refusing to hire them for other slots. The complaint cites ProPublica’s article extensively in accusing IBM of “systematically laying off older employees in order to build a younger workforce.” The suit was filed by Boston lawyer Shannon Liss-Riordan, who has represented workers against such tech behemoths as Amazon, Google and Uber.

IBM responded to the filing by saying it has done nothing wrong in retooling its workforce to meet the challenges of an evolving tech landscape.

“Changes in our workforce are about skills, not age,” company spokesman Edward Barbini said in a statement. “In fact, since 2010 there is no difference in the age of our U.S. workforce.”

This week’s class action suit follows lawsuits filed against IBM on behalf of individuals in California, Georgia and Texas, as well as a nationwide investigation of age bias at the company by the U.S. Equal Employment Opportunity Commission, which administers the nation’s workplace anti-discrimination laws.

The Texas case, filed by 60-year-old former sales executive Jonathan Langley, accuses the company of laying him off after 24 years because of his age. In court papers, he said IBM “devoted countless millions of dollars to its effort to rebrand as a hip, Millennial-centric tech company” by, among other things, establishing the Millennial Corps.

An IBM spokesman has said the company will defend the Langley case vigorously and complies with all applicable laws.

The new class-action complaint is somewhat narrower than it at first appears, a reflection of complexities in the laws against age discrimination and legal protections IBM has erected for itself.

At the moment, the complaint seeks the right to represent older ex-IBM employees in just two states, California and North Carolina. Ex-employees in other states would have to sign up, or affirmatively opt in, to be covered. Liss-Riordan said in an email that individuals from other could be added to the class if other plaintiffs emerge.

In addition, the class action filed this week only seeks to represent ex-IBM employees who did not sign the company’s separation agreement when they were ousted.

ProPublica reported in March that IBM regularly denies older workers being laid off information that federal law says they’re entitled to in order to decide whether they have been victims of age bias. It does so by making severance pay contingent on departing employees signing separation agreements in which they give up their right to sue, and can then only pursue age claims through secret, individual arbitration.

Even with these limits on potential plaintiffs, experts on employment said the legal actions could have a substantial effect on IBM.

“If a judge approves class-action status, or any of the age-discrimination lawsuits filed against IBM recently proceed, the company is going to face a costly fight defending its treatment of older workers,” said Jeffrey Young, an Augusta, Maine, lawyer who has successfully sued major employers for age bias but isn’t representing any of the plaintiffs in the IBM cases.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Health Insurers Are Vacuuming Up Details About You — And It Could Raise Your Rates

[Editor's note: today's guest post, by reporters at ProPublica, explores privacy and data collection issues within the healthcare industry. It is reprinted with permission.]

By Marshall Allen, ProPublica

To an outsider, the fancy booths at last month’s health insurance industry gathering in San Diego aren’t very compelling. A handful of companies pitching “lifestyle” data and salespeople touting jargony phrases like “social determinants of health.”

But dig deeper and the implications of what they’re selling might give many patients pause: A future in which everything you do — the things you buy, the food you eat, the time you spend watching TV — may help determine how much you pay for health insurance.

With little public scrutiny, the health insurance industry has joined forces with data brokers to vacuum up personal details about hundreds of millions of Americans, including, odds are, many readers of this story. The companies are tracking your race, education level, TV habits, marital status, net worth. They’re collecting what you post on social media, whether you’re behind on your bills, what you order online. Then they feed this information into complicated computer algorithms that spit out predictions about how much your health care could cost them.

Are you a woman who recently changed your name? You could be newly married and have a pricey pregnancy pending. Or maybe you’re stressed and anxious from a recent divorce. That, too, the computer models predict, may run up your medical bills.

Are you a woman who’s purchased plus-size clothing? You’re considered at risk of depression. Mental health care can be expensive.

Low-income and a minority? That means, the data brokers say, you are more likely to live in a dilapidated and dangerous neighborhood, increasing your health risks.

“We sit on oceans of data,” said Eric McCulley, director of strategic solutions for LexisNexis Risk Solutions, during a conversation at the data firm’s booth. And he isn’t apologetic about using it. “The fact is, our data is in the public domain,” he said. “We didn’t put it out there.”

Insurers contend they use the information to spot health issues in their clients — and flag them so they get services they need. And companies like LexisNexis say the data shouldn’t be used to set prices. But as a research scientist from one company told me: “I can’t say it hasn’t happened.”

At a time when every week brings a new privacy scandal and worries abound about the misuse of personal information, patient advocates and privacy scholars say the insurance industry’s data gathering runs counter to its touted, and federally required, allegiance to patients’ medical privacy. The Health Insurance Portability and Accountability Act, or HIPAA, only protects medical information.

“We have a health privacy machine that’s in crisis,” said Frank Pasquale, a professor at the University of Maryland Carey School of Law who specializes in issues related to machine learning and algorithms. “We have a law that only covers one source of health information. They are rapidly developing another source.”

Patient advocates warn that using unverified, error-prone “lifestyle” data to make medical assumptions could lead insurers to improperly price plans — for instance raising rates based on false information — or discriminate against anyone tagged as high cost. And, they say, the use of the data raises thorny questions that should be debated publicly, such as: Should a person’s rates be raised because algorithms say they are more likely to run up medical bills? Such questions would be moot in Europe, where a strict law took effect in May that bans trading in personal data.

This year, ProPublica and NPR are investigating the various tactics the health insurance industry uses to maximize its profits. Understanding these strategies is important because patients — through taxes, cash payments and insurance premiums — are the ones funding the entire health care system. Yet the industry’s bewildering web of strategies and inside deals often have little to do with patients’ needs. As the series’ first story showed, contrary to popular belief, lower bills aren’t health insurers’ top priority.

Inside the San Diego Convention Center last month, there were few qualms about the way insurance companies were mining Americans’ lives for information — or what they planned to do with the data.

The sprawling convention center was a balmy draw for one of America’s Health Insurance Plans’ marquee gatherings. Insurance executives and managers wandered through the exhibit hall, sampling chocolate-covered strawberries, champagne and other delectables designed to encourage deal-making.

Up front, the prime real estate belonged to the big guns in health data: The booths of Optum, IBM Watson Health and LexisNexis stretched toward the ceiling, with flat screen monitors and some comfy seating. (NPR collaborates with IBM Watson Health on national polls about consumer health topics.)

To understand the scope of what they were offering, consider Optum. The company, owned by the massive UnitedHealth Group, has collected the medical diagnoses, tests, prescriptions, costs and socioeconomic data of 150 million Americans going back to 1993, according to its marketing materials. (UnitedHealth Group provides financial support to NPR.) The company says it uses the information to link patients’ medical outcomes and costs to details like their level of education, net worth, family structure and race. An Optum spokesman said the socioeconomic data is de-identified and is not used for pricing health plans.

Optum’s marketing materials also boast that it now has access to even more. In 2016, the company filed a patent application to gather what people share on platforms like Facebook and Twitter, and link this material to the person’s clinical and payment information. A company spokesman said in an email that the patent application never went anywhere. But the company’s current marketing materials say it combines claims and clinical information with social media interactions.

I had a lot of questions about this and first reached out to Optum in May, but the company didn’t connect me with any of its experts as promised. At the conference, Optum salespeople said they weren’t allowed to talk to me about how the company uses this information.

It isn’t hard to understand the appeal of all this data to insurers. Merging information from data brokers with people’s clinical and payment records is a no-brainer if you overlook potential patient concerns. Electronic medical records now make it easy for insurers to analyze massive amounts of information and combine it with the personal details scooped up by data brokers.

It also makes sense given the shifts in how providers are getting paid. Doctors and hospitals have typically been paid based on the quantity of care they provide. But the industry is moving toward paying them in lump sums for caring for a patient, or for an event, like a knee surgery. In those cases, the medical providers can profit more when patients stay healthy. More money at stake means more interest in the social factors that might affect a patient’s health.

Some insurance companies are already using socioeconomic data to help patients get appropriate care, such as programs to help patients with chronic diseases stay healthy. Studies show social and economic aspects of people’s lives play an important role in their health. Knowing these personal details can help them identify those who may need help paying for medication or help getting to the doctor.

But patient advocates are skeptical health insurers have altruistic designs on people’s personal information.

The industry has a history of boosting profits by signing up healthy people and finding ways to avoid sick people — called “cherry-picking” and “lemon-dropping,” experts say. Among the classic examples: A company was accused of putting its enrollment office on the third floor of a building without an elevator, so only healthy patients could make the trek to sign up. Another tried to appeal to spry seniors by holding square dances.

The Affordable Care Act prohibits insurers from denying people coverage based on pre-existing health conditions or charging sick people more for individual or small group plans. But experts said patients’ personal information could still be used for marketing, and to assess risks and determine the prices of certain plans. And the Trump administration is promoting short-term health plans, which do allow insurers to deny coverage to sick patients.

Robert Greenwald, faculty director of Harvard Law School’s Center for Health Law and Policy Innovation, said insurance companies still cherry-pick, but now they’re subtler. The center analyzes health insurance plans to see if they discriminate. He said insurers will do things like failing to include enough information about which drugs a plan covers — which pushes sick people who need specific medications elsewhere. Or they may change the things a plan covers, or how much a patient has to pay for a type of care, after a patient has enrolled. Or, Greenwald added, they might exclude or limit certain types of providers from their networks — like those who have skill caring for patients with HIV or hepatitis C.

If there were concerns that personal data might be used to cherry-pick or lemon-drop, they weren’t raised at the conference.

At the IBM Watson Health booth, Kevin Ruane, a senior consulting scientist, told me that the company surveys 80,000 Americans a year to assess lifestyle, attitudes and behaviors that could relate to health care. Participants are asked whether they trust their doctor, have financial problems, go online, or own a Fitbit and similar questions. The responses of hundreds of adjacent households are analyzed together to identify social and economic factors for an area.

Ruane said he has used IBM Watson Health’s socioeconomic analysis to help insurance companies assess a potential market. The ACA increased the value of such assessments, experts say, because companies often don’t know the medical history of people seeking coverage. A region with too many sick people, or with patients who don’t take care of themselves, might not be worth the risk.

Ruane acknowledged that the information his company gathers may not be accurate for every person. “We talk to our clients and tell them to be careful about this,” he said. “Use it as a data insight. But it’s not necessarily a fact.”

In a separate conversation, a salesman from a different company joked about the potential for error. “God forbid you live on the wrong street these days,” he said. “You’re going to get lumped in with a lot of bad things.”

The LexisNexis booth was emblazoned with the slogan “Data. Insight. Action.” The company said it uses 442 non-medical personal attributes to predict a person’s medical costs. Its cache includes more than 78 billion records from more than 10,000 public and proprietary sources, including people’s cellphone numbers, criminal records, bankruptcies, property records, neighborhood safety and more. The information is used to predict patients’ health risks and costs in eight areas, including how often they are likely to visit emergency rooms, their total cost, their pharmacy costs, their motivation to stay healthy and their stress levels.

People who downsize their homes tend to have higher health care costs, the company says. As do those whose parents didn’t finish high school. Patients who own more valuable homes are less likely to land back in the hospital within 30 days of their discharge. The company says it has validated its scores against insurance claims and clinical data. But it won’t share its methods and hasn’t published the work in peer-reviewed journals.

McCulley, LexisNexis’ director of strategic solutions, said predictions made by the algorithms about patients are based on the combination of the personal attributes. He gave a hypothetical example: A high school dropout who had a recent income loss and doesn’t have a relative nearby might have higher than expected health costs.

But couldn’t that same type of person be healthy? I asked.

“Sure,” McCulley said, with no apparent dismay at the possibility that the predictions could be wrong.

McCulley and others at LexisNexis insist the scores are only used to help patients get the care they need and not to determine how much someone would pay for their health insurance. The company cited three different federal laws that restricted them and their clients from using the scores in that way. But privacy experts said none of the laws cited by the company bar the practice. The company backed off the assertions when I pointed that the laws did not seem to apply.

LexisNexis officials also said the company’s contracts expressly prohibit using the analysis to help price insurance plans. They would not provide a contract. But I knew that in at least one instance a company was already testing whether the scores could be used as a pricing tool.

Before the conference, I’d seen a press release announcing that the largest health actuarial firm in the world, Milliman, was now using the LexisNexis scores. I tracked down Marcos Dachary, who works in business development for Milliman. Actuaries calculate health care risks and help set the price of premiums for insurers. I asked Dachary if Milliman was using the LexisNexis scores to price health plans and he said: “There could be an opportunity.”

The scores could allow an insurance company to assess the risks posed by individual patients and make adjustments to protect themselves from losses, he said. For example, he said, the company could raise premiums, or revise contracts with providers.

It’s too early to tell whether the LexisNexis scores will actually be useful for pricing, he said. But he was excited about the possibilities. “One thing about social determinants data — it piques your mind,” he said.

Dachary acknowledged the scores could also be used to discriminate. Others, he said, have raised that concern. As much as there could be positive potential, he said, “there could also be negative potential.”

It’s that negative potential that still bothers data analyst Erin Kaufman, who left the health insurance industry in January. The 35-year-old from Atlanta had earned her doctorate in public health because she wanted to help people, but one day at Aetna, her boss told her to work with a new data set.

To her surprise, the company had obtained personal information from a data broker on millions of Americans. The data contained each person’s habits and hobbies, like whether they owned a gun, and if so, what type, she said. It included whether they had magazine subscriptions, liked to ride bikes or run marathons. It had hundreds of personal details about each person.

The Aetna data team merged the data with the information it had on patients it insured. The goal was to see how people’s personal interests and hobbies might relate to their health care costs. But Kaufman said it felt wrong: The information about the people who knitted or crocheted made her think of her grandmother. And the details about individuals who liked camping made her think of herself. What business did the insurance company have looking at this information? “It was a dataset that really dug into our clients’ lives,” she said. “No one gave anyone permission to do this.”

In a statement, Aetna said it uses consumer marketing information to supplement its claims and clinical information. The combined data helps predict the risk of repeat emergency room visits or hospital admissions. The information is used to reach out to members and help them and plays no role in pricing plans or underwriting, the statement said.

Kaufman said she had concerns about the accuracy of drawing inferences about an individual’s health from an analysis of a group of people with similar traits. Health scores generated from arrest records, home ownership and similar material may be wrong, she said.

Pam Dixon, executive director of the World Privacy Forum, a nonprofit that advocates for privacy in the digital age, shares Kaufman’s concerns. She points to a study by the analytics company SAS, which worked in 2012 with an unnamed major health insurance company to predict a person’s health care costs using 1,500 data elements, including the investments and types of cars people owned.

The SAS study said higher health care costs could be predicted by looking at things like ethnicity, watching TV and mail order purchases.

“I find that enormously offensive as a list,” Dixon said. “This is not health data. This is inferred data.”

Data scientist Cathy O’Neil said drawing conclusions about health risks on such data could lead to a bias against some poor people. It would be easy to infer they are prone to costly illnesses based on their backgrounds and living conditions, said O’Neil, author of the book “Weapons of Math Destruction,” which looked at how algorithms can increase inequality. That could lead to poor people being charged more, making it harder for them to get the care they need, she said. Employers, she said, could even decide not to hire people with data points that could indicate high medical costs in the future.

O’Neil said the companies should also measure how the scores might discriminate against the poor, sick or minorities.

American policymakers could do more to protect people’s information, experts said. In the United States, companies can harvest personal data unless a specific law bans it, although California just passed legislation that could create restrictions, said William McGeveran, a professor at the University of Minnesota Law School. Europe, in contrast, passed a strict law called the General Data Protection Regulation, which went into effect in May.

“In Europe, data protection is a constitutional right,” McGeveran said.

Pasquale, the University of Maryland law professor, said health scores should be treated like credit scores. Federal law gives people the right to know their credit scores and how they’re calculated. If people are going to be rated by whether they listen to sad songs on Spotify or look up information about AIDS online, they should know, Pasquale said. “The risk of improper use is extremely high. And data scores are not properly vetted and validated and available for scrutiny.”

As I reported this story I wondered how the data vendors might be using my personal information to score my potential health costs. So, I filled out a request on the LexisNexis website for the company to send me some of the personal information it has on me. A week later a somewhat creepy, 182-page walk down memory lane arrived in the mail. Federal law only requires the company to provide a subset of the information it collected about me. So that’s all I got.

LexisNexis had captured details about my life going back 25 years, many that I’d forgotten. It had my phone numbers going back decades and my home addresses going back to my childhood in Golden, Colorado. Each location had a field to show whether the address was “high risk.” Mine were all blank. The company also collects records of any liens and criminal activity, which, thankfully, I didn’t have.

My report was boring, which isn’t a surprise. I’ve lived a middle-class life and grown up in good neighborhoods. But it made me wonder: What if I had lived in “high risk” neighborhoods? Could that ever be used by insurers to jack up my rates — or to avoid me altogether?

I wanted to see more. If LexisNexis had health risk scores on me, I wanted to see how they were calculated and, more importantly, whether they were accurate. But the company told me that if it had calculated my scores it would have done so on behalf of their client, my insurance company. So, I couldn’t have them.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


Federal Watchdog Launches Investigation of Age Bias at IBM

[Editor's note: today's guest post, by reporters at ProPublica, updates a prior post about employment practices. It is reprinted with permission. A data breach at IBM in 2007 led to the creation of this blog.]

IBM logo By Peter Gosselin, ProPublica

The U.S. Equal Employment Opportunity Commission has launched a nationwide probe of age bias at IBM in the wake of a ProPublica investigation showing the company has flouted or outflanked laws intended to protect older workers from discrimination.

More than five years after IBM stopped providing legally required disclosures to older workers being laid off, the EEOC’s New York district office has begun consolidating individuals’ complaints from across the country and asking the company to explain practices recounted in the ProPublica story, according to ex-employees who’ve spoken with investigators and people familiar with the agency’s actions.

"Whenever you see the EEOC pulling cases and sending them to investigations, you know they’re taking things seriously," said the agency’s former general counsel, David Lopez. "I suspect IBM’s treatment of its later-career workers and older applicants is going to get a thorough vetting."

EEOC officials refused to comment on the agency’s investigation, but a dozen ex-IBM employees from California, Colorado, Texas, New Jersey and elsewhere allowed ProPublica to view the status screens for their cases on the agency’s website. The screens show the cases being transferred to EEOC’s New York district office shortly after the March 22 publication of ProPublica’s original story, and then being shifted to the office’s investigations division, in most instances, between April 5 and April 10.

The agency’s acting chair, Victoria Lipnic, a Republican, has made age discrimination a priority. The EEOC’s New York office won a settlement last year from Kentucky-based national restaurant chain Texas Roadhouse in the largest age-related case as measured by number of workers covered to go to trial in more than three decades.

IBM did not respond to questions about the EEOC investigation. In response to detailed questions for our earlier story, the company issued a brief statement, saying in part, "We are proud of our company and its employees’ ability to reinvent themselves era after era while always complying with the law."

Just prior to publication of the story, IBM issued a video recounting its long history of support for equal employment and diversity. In it, CEO Virginia "Ginni" Rometty said, "Every generation of IBMers has asked ‘How can we in our own time expand our understanding of inclusion?’ "

ProPublica reported in March that the tech giant, which has an annual revenue of about $80 billion, has ousted an estimated 20,000 U.S. employees ages 40 and over since 2014, about 60 percent of its American job cuts during those years. In some instances, it earmarked money saved by the departures to hire young replacements in order to, in the words of one internal company document, "correct seniority mix."

ProPublica reported that IBM regularly denied older workers information the law says they’re entitled to in order to decide whether they’ve been victims of age bias, and used point systems and other methods to pick older workers for removal, even when the company rated them high performers.

In some cases, IBM treated job cuts as voluntary retirements, even over employees’ objections. This reduced the number of departures counted as layoffs, which can trigger public reporting requirements in high enough numbers, and prevented employees from seeking jobless benefits for which voluntary retirees can’t file.

In addition to the complaints covered in the EEOC probe, a number of current and former employees say they have recently filed new complaints with the agency about age bias and are contemplating legal action against the company.

Edvin Rusis of Laguna Niguel, a suburb south of Los Angeles, said IBM has told him he’ll be laid off June 27 from his job of 15 years as a technical specialist. Rusis refused to sign a severance agreement and hired a class-action lawyer. They have filed an EEOC complaint claiming Rusis was one of "thousands" discriminated against by IBM.

If the agency issues a right-to-sue letter indicating Rusis has exhausted administrative remedies for his claim, they can take IBM to court. "I don’t see a clear reason for why they’re laying me off," the 59-year-old Rusis said in an interview. "I can only assume it’s age, and I don’t want to go silently."

Coretta Roddey of suburban Atlanta, 49, an African-American Army veteran and former IBM employee, said she’s applied more than 50 times to return to the company, but has been turned down or received no response. She’s hired a lawyer and filed an age discrimination complaint with EEOC.

"It’s frustrating," she said of the multiple rejections. "It makes you feel you don’t have the qualifications (for the job) when you really do."

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


How the Crowd Led ProPublica to Investigate IBM

[Editor's note: today's guest post, by the reporters at ProPublica, discusses employment practices at a major corporation in the United States. The investigation is as interesting as the "Cutting 'Old Heads' At IBM" report. This also caught my attention because a data breach at IBM in 2007 led to the creation of this blog. Today's article is reprinted with permission.]

IBM logo By Ariana Tobin and Peter Gosselin, ProPublica

On March 22, we reported that over the past five years IBM has been removing older U.S. employees from their jobs, replacing some with younger, less experienced, lower-paid American workers and moving many other jobs overseas.

We’ve got documentation and details — most of which are the direct result of a questionnaire filled out by over 1,100 former IBMers.

We’ve gone to the company with our findings. IBM did not answer the specific questions we sent. Spokesman Edward Barbini said: “We are proud of our company and our employees’ ability to reinvent themselves era after era, while always complying with the law. Our ability to do this is why we are the only tech company that has not only survived but thrived for more than 100 years.”

We don’t know the exact size of the problem. Our questionnaire isn’t a scientific sample, nor did all the participants tell us they experienced age discrimination. But the hundreds of similar stories show a pattern of older employees being pushed out even when the company itself says they were doing a good job.

This project wasn’t inspired by a high-level leak or an errant line in secret documents. It came to us through reader engagement. Our investigation took us beyond some of our usual reporting techniques. We’d like to elaborate on this because:

  • We know readers will wonder how we sourced some pretty serious claims.
  • Many ex-employees trusted us with their stories and spent many hours in conversation with us. We think it’s good practice to let them know how we’ve used their information.
  • This is the probably the first time we’ve been pointed to a big project by a community of people we found through digital outreach. We hope that by sharing our experiences, we can help others build on our work.

IBMers found us

This project started as a conversation between the two of us, both reporters at ProPublica. Peter had taken on the age discrimination beat for reasons both personal and professional. Ariana was newly minted into a job called “engagement reporter.”

Ariana suggested that Peter write up a short essay on his own experiences of being laid off at 63 and searching for a job in the aftermath. We attached a short questionnaire to the bottom and headlined it: “Over 50 and looking for a job? We’d like to hear from you.

Dozens of people responded within the first couple of weeks. As we looked through this first round of questionnaires, we noticed a theme: a whole lot of information and technology workers told us they were struggling to stay employed. And those who had lost their jobs? They were having a really hard time finding new work.

Of those IT workers, several mentioned IBM right off the bat. One woman wrote that she and her coworkers were working together to find new jobs in order to “ward off the dreaded old person layoff from IBM.”

Another wrote: “I can probably help you get a lot more stories, contact me if you want to discuss this possibility.”

Another wrote: “Part of the separation agreement was that I not seek collective action against IBM for age discrimination. I was not going to sign as a law firm was planning to file a grievance. However they needed 10 people to agree and they could not get the numbers.”

… and then they connected us with more IBMers

We started making some calls. One of the first people we talked to was Brian Paulson, a 57-year-old senior manager with 18 years at IBM, who was fired for “performance reasons” that the company refused to explain. He was still job-hunting two years later.

Another ex-IBM employee told us that she had seen examples of older workers laid off from many parts of the company on a public Facebook page called WatchingIBM. Ariana spent a day looking through the posts, which were, as promised, crawling with stories, questions, and calls for support from workers of all kinds, as shown in the accompanying screenshot.

We decided to reach out to the page’s administrator, who was a longtime IBM workplace activist, Lee Conrad. He shared our age discrimination questionnaire in the group and more responses poured in.

With dozens of interviews already on the books, we decided to launch a second, more specific questionnaire — this time about IBM

We realized that we had been pointed toward an angry, sad and motivated group. The older ex-IBM workers we called were trying to figure out whether their own layoffs were unique or part of a larger trend. And if they were part of a larger trend... how many people were affected?

A major frustration we saw in comment after comment: These workers couldn’t get information on how many others had been forced out with them.

This was an information gap that immediately struck Peter, because that information is exactly what the law requires employers to disclose at the time of a layoff.

On top of that, many of these sources mentioned having been forced to sign agreements that kept them from going to court or even talking about what had happened to them. They were scared to do anything in violation of those agreements, a fear that kept them from finding out the answers to some big open questions: Why would IBM have stopped releasing the ages and positions of those let go, as they had done before 2014 to comply with federal law? How many workers out there believed they had been “retired” against their will? What did managers really tell their subordinates when the time came to let them go? Who was left to do all of their work?

So we wrote up another questionnaire asking those specific questions.

We learned from the responses, and also the response rate

We contacted people on listservs, found them on open petitions, joined closed LinkedIn networks, and followed each posting on ex-IBM groups. We tweeted the questionnaire out on days that IBM reported its earnings, including the company’s ticker symbol. We talked to trade magazines and IBM historians and organizers who still work at IBM. We bought ads on Facebook and aimed them toward cities and towns where we knew IBM had been cutting its workforce.

As the responses came in, we tried to figure out where most of them were coming from. To identify any meaningful trends, we needed to know who was answering, what was working, and why. We also realized that we needed to introduce ourselves in order to persuade anyone it was worth participating.

When something worked, we’d double down:

We know what worked the best: When people filled out the questionnaire they’d also share their contact information with us. So we asked them to forward the questionnaire around within their own networks:

And we got more leads

We read through all of the responses and identified themes: 183 respondents said the company recorded them as having retired by choice even though they had no desire to retire or flat-out objected to the idea. Forty-five people were told they’d have to uproot their lives and move sometimes thousands of miles from the communities where they had worked for years, or else resign. Fifty-three said their jobs had been moved overseas. Some were happy they’d left. Some were company luminaries, given top ratings throughout their career. Some were still fighting over benefits and health care. Some were worried about finding work ever again.

Inevitably, this categorization process led to us to identify new patterns as we went along, and as new responses accumulated. For each new pattern, we would go back and see how many people fit.

One of the first and most interesting such categories were the people who had received emails congratulating them on their retirement at the same time as they were informed of their layoff. We realized there would be power in numbers there, so we set up a SecureDrop for people who were willing to send us their paperwork.

Eventually, we also created a category called “legal action.” We’d stumbled upon support groups of ex-IBM employees who had filed formal complaints with the Equal Employment Opportunity Commission. Some sent us the company’s responses to their individual complaints, giving us insight into the way the company responded to allegations of discrimination. These seemed, of course, very useful.

In other words: we sent some rather complicated mass emails and were surprised over and over again by the specificity of the responses:

IBM undoubtedly has information that would shed light on the documents, its layoff practices or the overall extent and nature of its job cuts. The company chose not to respond to our questions about those issues.

So we tried to answer ex-IBMers’ questions ourselves, including one of the most basic: How many employees ages 40 and over were let go or left in recent years?

IBM won’t say. In fact, over the years, the company has stopped releasing almost all information about its U.S. workforce. In 2009, it stopped publishing its American employment total. In 2014, it stopped disclosing the numbers and ages of older employees it was laying off, a requirement of the nation’s basic anti-age bias law, the Age Discrimination in Employment Act (ADEA).

So we’ve sought to estimate the number, relying on one of the few remaining bits of company-provided information — a technique developed by a veteran financial analyst who follows IBM for investors — as well as patterns we spotted in internal company documents.

We began with a line in the company’s quarterly and annual filings with the U.S. Securities and Exchange Commission for “workforce rebalancing,” a company term for layoffs, firings and other non-retirement departures. It’s a gauge of what IBM spends to let people go. In the past five years, workforce rebalancing charges have totaled $4.3 billion.

The technique was used by veteran IBM analyst Toni Sacconaghi of Bernstein Research. Sacconaghi is a respected Wall Street analyst who has been named to Institutional Investor’s All-America Research Team every year since 2001. His technique and layoff estimates have been widely cited by news organizations including The Wall Street Journal and Fortune.

Some years ago, Sacconaghi estimated that IBM’s average per-employee cost for laying off a worker was $70,000.

Dividing $4.3 billion by $70,000 suggests that during the past five years IBM’s worldwide job cuts totaled about 62,000. If anything, that number is low, given IBM executives’ comments at a recent investor conference. Internal company documents we reviewed suggest that 50 to 60 percent of cuts were made in the U.S., with older workers representing roughly 60 percent of those. That translates to about 20,000 older American workers let go.

Our analysis suggests the total of U.S. layoffs is almost certainly higher.

First, as Sacconaghi said in a recent interview, IBM’s per-employee rebalancing costs are likely much lower now because, starting in 2016, the company reduced severance payments to departing employees from six months to just 30 days. That means IBM can lay off or fire more people for the same or lower overall costs.

Second, because, as those ex-IBMers told us, the company often converts their layoffs into retirements, the workplace rebalancing numbers don’t tell the whole story.

Right below the line for “workforce rebalancing” in its SEC filings, IBM adds another line for “retirement-related costs,” which reflects how much the company spends each year retiring people out. Some — perhaps a substantial amount of that — went to retirements that were less than fully voluntary. This could add up to thousands more people.

By coming up with answers and investigating in the open, we’ve gotten more sources

Many of the conversations we’ve had during our reporting didn’t make it into the final story. People allowed us to review internal company documents. They let us see long email exchanges with their managers. They dug back through closets and garages to find memos they had saved out of frustration or fatigue or just plain anger.

We can’t go into detail about all of the ways the community helped us report out this story, because we also promised many of our sources that we would protect their confidentiality. The beauty is that they talked to us anyway. They knew where to find us, because our contact information had been spread far and wide.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


ProPublica Seeks Input From Former IBM Employees

IBM logo This news item immediately caught my attention, since a data breach in 2007 at IBM Inc. was the original inspiration for this blog. And the tech company had another breach in 2009. The company has struggled against other tech companies.

Earlier this month, IBM completed a blockchain trial with Westpack and ANZ. According to Yahoo News and Zacks Equity Research, blockchain:

"... is a kind of distributed database and works as an online ledger that cannot be altered or breached easily. The use of such technologies in the banking and finance sector is aimed at reducing the possibility of losing valuable data as well as minimizing the rate of cybercrime in the finance industry.

Notably, IBM is one of major players in the Blockchain market. This is the second significant deal for the company in this technology space..."

The reporters at ProPublica seek input from former IBM employees who left the company during the last few years. Why? The computing and technology company has:

"... been upending its workforce, often with painful results for longtime employees. According to one estimate, IBM’s U.S. employment, which peaked at 230,000, had dropped to about 70,000 by mid-2015, largely the product of layoffs and retirements. And six weeks ago, IBM told thousands of its telecommuting employees to start reporting to particular offices, which in many cases would involve long-distance moves. That, or resign. As a result, hundreds, perhaps thousands, more IBMers are leaving the company.

IBM has long been a corporate leader in employment practices. That means the way it treats its employees speaks volumes about what lies ahead for working people everywhere. But IBM executives won’t tell their workers or the public how many people are leaving this year. They refuse to provide the numbers for 2016, 2015, or 2014 either, to explain the logic behind who gets tapped to go, or exactly how the departures fit into a larger strategy.

We’re asking you to help us get the numbers and, with them, answers."

Former IBM employees interested in providing input should complete this brief questionnaire at the ProPublica site.


Apple News: Electronic Book Price Fixing Settlement; IBM Partnership; EU Concerns About In-App Purchases By Children

Last week, the Office of the Massachusetts Attorney General (AG) announced a settlement with Apple Inc. regarding electronic book (a/k/a e-book) price fixing allegations. AGs from 33 states had filed lawsuits against the company:

"Contingent upon the resolution of Apple’s appeal of a U.S. District Court verdict from 2013, consumers nationwide will receive a total of $400 million, with Massachusetts consumers estimated to receive more than $12 million in refunds.The agreement also remains subject to approval by the U.S. District Court for the Southern District of New York."

Additional details about the Apple settlement:

"The exact amount of consumer relief is contingent upon the affirmation of a U.S. District Court’s July 2013 verdict that Apple violated federal and state antitrust laws by orchestrating a conspiracy with five publishers – Penguin Group (USA), Inc. (now part of Penguin Random House); Holtzbrinck Publishers LLC d/b/a Macmillan; Hachette Book Group Inc.; HarperCollins Publishers LLC; and Simon & Schuster Inc. – to artificially raise prices for E-books between 2010 and 2012 in order to eliminate retail price competition."

Information about the publishers' settlement:

"E-book purchasers nationwide are already entitled to refunds totaling $166 million in settlement funds paid by the five publishers involved in the conspiracy. Massachusetts consumers are due more than $5 million from these funds in compensation pursuant to these settlements."

Martha Coakley, the Massachusetts AG, said in a statement:

“Price collusion amongst competitors is unacceptable and this agreement will ensure that those responsible are held accountable... We are hopeful that this settlement will go through so that affected consumers can receive significant refunds as a result of these violations.”

New York State AG Eric T. Schneiderman said in a statement:

"... the biggest, most powerful companies in the world must play by the same rules as everyone else... We will continue to work with our colleagues in other states to ensure that all companies compete fairly with the knowledge that no one is above the law.”

Good. I applaud the AGs with this enforcement action. In related news, Apple announced a partnership with IBM Inc. to:

"... redefine the way work will get done, address key industry mobility challenges and spark true mobile-led business change—grounded in four core capabilities:

1. a new class of more than 100 industry-specific enterprise solutions including native apps, developed exclusively from the ground up, for iPhone and iPad;
2. unique IBM cloud services optimized for iOS, including device management, security, analytics and mobile integration;
3. new AppleCare® service and support offering tailored to the needs of the enterprise; and
4. new packaged offerings from IBM for device activation, supply and management."

Meanwhile, many parents in Europe are concerned about how app-based games are marketed. Engadget reported last week:

"... while Google addressed its concerns around games with in-app purchasing, Apple has yet to offer a strategy. Following hordes of complaints by outraged parents, the EU asked both companies to implement changes to the way they sell such apps in their stores. Those include not misleading consumers about supposedly "free" games, not "directly exhorting" children to buy in-game items, thoroughly informing customers about payment arrangements and forcing game-makers to provide contact information."

The request by the European Commission and the Consumer Protection Cooperation (CPC) Network included:

"1. Games advertised as "free" should not mislead consumers about the true costs involved;
2. Games should not contain direct exhortation to children to buy items in a game or to persuade an adult to buy items for them;
3. Consumers should be adequately informed about the payment arrangements for purchases and should not be debited through default settings without consumers’ explicit consent;
4. Traders should provide an email address so that consumers can contact them in case of queries or complaints."

The Engadget news article also included this statement by Apple:

"... over the last year we made sure any app which enables customers to make in-app purchases is clearly marked. We've also created a Kids Section on the App Store with even stronger protections to cover apps designed for children younger than 13. These controls go far beyond the features of others in the industry. But we are always working to strengthen the protections we have in place, and we're adding great new features with iOS 8, such as Ask to Buy, giving parents even more control over what their kids can buy on the App Store..."

This statement was after a $32.5 million settlement in March 2014 with the U.S. Federal Trade Commission (FTC):

"... a final order resolving FTC allegations that Apple Inc. unfairly charged consumers for in-app purchases incurred by children without their parents’ consent... by March 31, 2014, Apple must change its billing practices to ensure that it has obtained express, informed consent from consumers before charging them for in-app purchases. Apple also must provide full refunds, totaling a minimum of $32.5 million, to consumers who were billed for in-app purchases that were incurred by children... Should Apple issue less than $32.5 million in refunds to consumers within the 12 months after the settlement becomes final, the company must remit the balance to the Commission. By April 15, 2014, Apple must notify all consumers charged for in-app purchases with instructions on how to obtain a refund for unauthorized purchases by kids."

In-app purchases can be expensive. Experts advise parents to closely monitor their children's game activity.


IBM To Move 110,000 Retirees From Its Sponsored Health Care Plan To Private Exchanges. Other Companies Plot Similar Moves

IBM, Inc. logo Earlier this week, IBM announced that it will move about 110,000 Medicare-eligible retirees from its current company-sponsored health plan to private health care insurance exchanges. Retirees will receive payments towards the cost of health care through exchanges.

While IBM denied that costs were the reason for the move, the news report stated that experts have estimated Medicare costs to triple by 2020. So, while the move may not save IBM any money today, it seems the company's decision is clearly cost-related -- to save itself money in the future.

Reportedly, the new plan for IBM retirees will start January 1, 2014. According to the Chicago tribune:

"IBM also said it was hosting meetings with groups of retirees across the country to inform them about the move to the country's largest private Medicare Exchange. While some retirees may be skeptical, studies showed that the majority of people have a more positive outlook once they were presented with the concept and understood the options available to them through these exchanges..."

Health care exchanges were created under the 2010 Affordable Health Care Act. At many health care exchanges, open enrollment will begin on October 1, 2013. A health care exchange is:

"... a regulated marketplace where consumers can more easily compare insurance plans through the Internet, on the phone, or through an official helper, called a “navigator.” Consumers can also find out if they qualify for Medicaid -- the jointly run federal/state health care program for the poor -- or for a federal subsidies to help pay for the insurance... They are for small businesses and people who don’t have access to affordable insurance through an employer or are not already enrolled in a government program, such as Medicare."

Experts have projected that the shift to private health care exchanges will affect both retirees and current employees. (I'll bet you didn't know that.) The projections include 1 million workers enrolled in private health care exchanges in 2013, increasing to perhaps 40 million workers in 2018.

United Parcel Service logo Other companies have announced similar health care plan changes for their retirees, including General Electric and Time Warner. Last month, the United Parcel Service announced that it will stop health care coverage for employees' spouses, who can get coverage through another employer's plan:

"By denying coverage to spouses, employers not only save the annual premiums, but also the new fees that went into effect as part of the Affordable Care Act. This year, companies have to pay $1 or $2 “per life” covered on their plans, a sum that jumps to $65 in 2014. And health law guidelines proposed recently mandate coverage of employees’ dependent children (up to age 26), but husbands and wives are optional... next year, 12% of employers plan to exclude spouses, up from 4% this year, according to a recent Towers Watson survey."

Local leaders in some states, such as North Carolina, are hosting forums to explain to residents what health care exchanges are and how they operate. The insurance commissioner in Maryland has already published rates available in the state's new health care exchange; with some rates are as low as $122 per month.

What is your opinion of private health care exchanges? What is your opinion of employers that no longer cover their employees' spouses?


Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

  • During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (http://cve.mitre.org/); followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
  • During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

  1. Be ready to give out some personal information.
  2. Know that a third-party will gain access to your personal information.
  3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).


A Second Data Breach at Health Net Affects 1.9 Million Consumers

On Monday of this week, Health Net announced a data breach and the company's ongoing investigation into lost/stolen server drives from its data center in Rancho Cordova, Calif. According to the press release:

"This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives. After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information."

This is interesting for several reasons. First, the Health Net press release didn't disclose either the number of lost/stolen server drives, nor the number of consumers' records lost/stolen. That's usually a bad sign that the breach is a huge one. The California Department of Managed Health Care (DMHC) issued a statement (43k bytes; PDF document) that the Health Net breach included 1.9 million current and prior Health Net customers nationwide, including:

"... more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare."

The DMHC is rightly concerned and conducting its own investigation. The DMHC statement also said that nine (9) Health Net server drives were missing.

Second, the above Health Net press release mentioned the name of an IT outsource vendor I recognized, IBM. I have had some direct, personal experience with an IBM breach. And IBM's involvement in the Health Net breach has a twist of irony.

After its 2007 data breach, IBM never disclosed what actions it took, if any, with the outsource vendor it hired to ship its backup computer data tapes to an off-site facility. Did IBM fire its vendor, or were specific vendor's employees disciplined or terminated? We never learned what happened. Now, to use a common expression, "the shoe is on the other foot" as IBM is the vendor involved in its client's data breach.

Third, this is the second huge data breach at Health Net. In November 2009, Health Net suffered a huge data breach. That 2009 data breach included hard drives, too, where the sensitive personal data lost/stolen included the Social Security numbers, medical records and health information dating back to 2002 of 1.5 million past and current customers in several states. During the last few months, Health Net paid fines to several states to settle the 2009 breach. Several states' attorney generals alleged that the 2009 breach violated the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), and some states' local laws.

Fourth, ABC News focused its coverage on the delayed notification. Apparently, Health Net learned about the missing server drives in February, notified the California Attorney General's office on March 4, and then notified the public on March 14. The delay in notificaton was part of the rationale for the settlement fines Health Net paid as a result of its 2009 data breach.

Fifth, the Connecticut Attorney General's office has demanded that Health Net provide identity-theft and credit protectons for 25,000 Connecticut residents affected by the data breach. In its breach announcement, Health Net has hired Debix (again) to provide two years of complimentary identity-theft and credit protection for breach victims.

Sixth, the nationwide impacts of the Health Net data breach are jsut becoming known. About 40,000 consumers in Washington state have been affected. I expect more states' regulatory agencies and/or attorney generals to issue statements about the impacts in their states.

After such a huge data breach in 2009, you'd think that the executives at Health Net would "get it," implement tightened data security, and implement both new data security policies and employee training to prevent another massive data breach. Well, another massive breach happened. As a wise person once said, actions speak louder than words.

I am hoping that the consequences for Health Net executives include much more than fines. Executives need to be fired and/or jailed. What do you think? What action, if any, should Health Net take with its outsource vendor, IBM?


Texas / IBM Data Center Project Failure

A good friend, Michael Krigsman, writes an excellent blog: IT project failures. The reasons vary for project failures and some are data breaches. His blog deserves a mention here because a recent post discussed a project involving IBM Corporation, a company I have had some direct experience with. Michael wrote:

"The Texas Department of Information Resources (DIR) sent IBM a “Notice to Cure,” accusing the large system integrator of failing to perform its obligations on a data center consolidation contract worth $863 million. According to an internal report prepared by the department, this is a case of the “blind leading the blind,” with both parties at fault."

Ouch! Harsh words. Sad state of affairs for a project.


IBM Distributes Virus-Infected USB Drives at Security Conference

International Business Machines logo Long-time readers know that I named this blog to honor the company that lost my sensitive personal data during a February 2007 data breach. Since then, i try to give IBM the media attention it earns.

Last week, InformationWeek magazine reported that IBM gave attendees at the AusCERT information security conference in Australia virus-infected infected USB thumb drives. IBM followed up this snafu with an apology via e-mail. The InformationWeek article contains the text of the e-mail message.

Nobody at IBM bothered to check the USB thumb drives before distributing them to conference attendees? Wow! And this occurred at a security conference, too.

If I ever received a free USB drive from the leading computer and security company worldwide, that advises other companies how to deal with data breaches, I'll be sure to scan it with anti-virus software first.


Survey: Ponemon Lists The Top 20 Most Trusted Firms For Privacy

Ponemon Institute released last month its list of the 20 most trusted companies for privacy. The list is compiled from an annual survey of 6,627 adults in the United States. Survey participants were asked to rank their most trusted companies from a list of companies provided. Highlights from this year's survey:

"Among the brands that made the top twenty were four not listed in the previous study, including Google, Weight Watchers, Walmart, and AT&T. Of the companies listed last year, Facebook, AOL, and eLoan did not make the 2010 list. 2009 was a tumultuous year for privacy, as illustrated by Facebook’s drop out of the top twenty in a year when they found themselves at the center of a very public debate over the evolution of their privacy policies and settings."

It's good to see that there is a "cost" when a Web site or company has confusing or constantly changing privacy policies and rules. Some other highlights:

"Consumers feel they are losing control of personal information: Only 41 percent of consumers feel they have control over their personal information, down from 45 last year and an overall drop from 56 percent in 2006."

The next finding definitely caught my attention:

"Identity theft is top of mind: 59 percent of consumers said fear of identity theft was a major factor in brand trust diminishment, and 50 percent said notice of a data breach was a factor. Other significant threats to brand trust were abuse of civil liberties and annoying “background chatter” in public venues."

The Top 10 most-trusted companies for privacy (with their prior year ranking in parentheses):

1. American Express (1)
2. IBM (3)
3. Johnson & Johnson (5)
4. Hewlett Packard (6)
5. E-bay (2)
6. U.S. Postal Service (6)
7. Procter & Gamble (7)
8. Amazon.com (4)
8. Nationwide (9)
9. USAA (11)
10. WebMD (13)

Google was ranked #13. Read the press release to browse the complete list of all twenty ranked companies. I'll be a number of CEOs are wondering how the United States Postal Service outranked them. Who says that a government agency doesn't work well?

AT&T's jump up the list could be related to the telecommunications company's public statement about its behavioral targeting policy, which is more consumer-friendly than most companies. Then again, maybe the public has forgotten about AT&T's role with internal spying.

For a year-to-year comparison of the top 20 companies for privacy, see Mike Spinney's blog at the Ponemon site.


IBM Experiences Another Data Breach

IBM logo IBM's February 2007 data breach exposed the personal information of all of its employees and former employees. China Tech News reported that the sensitive personal information of 1,000 IBM Shenzhen employees was disclosed by a supplier in China:

"Some IBM employees in Dalian reportedly were also victims of this identity theft scam. A Beijing-based company, which is one of the suppliers of IBM, had allegedly applied for the credit cards, which is called Foreign Enterprise Joint Name Card. Though the BOC outlet stated that it did not issue the credit cards since there were no signatures of the employees on the application forms, one of the employees from IBM said that his card had already been used."

According to Forbes Magazine, IBM moved its global procurement headquarters to Shenzhen, China in 2006. This was the first time the headquarters of a corporate-wide IBM division has been moved outside the USA. IBM reportedly has about 3,000 suppliers across Asia and employees in about 60 countries.

You'd think that by now IBM, a company that is frequently hired by other companies as a consultant about data breaches and computer security, would have this breach and supplier security situation figured out -- that it just wouldn't happen to IBM.

Just like in 2007, IBM is tight-lipped when it comes to details. IBM says it is investigating the latest breach and won't release the name of the supplier. In 2007, IBM never disclosed the name of its supplier, nor the results of its breach investigation. In 2007, IBM offered its breach victims 12 months of free credit monitoring with Kroll.

This week, IBM's X-Force released its 2009 Mid-Year Trend and Risk Report about the threats that affect Internet security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber criminal activity. Several news media sources, including Internet News, ran the following quote about the report:

" 'The trends highlighted by the report seem to indicate that the Internet has finally taken on the characteristics of the Wild West where no one is to be trusted,' said IBM X-Force Director Kris Lamb."

IBM should have added its supplier data breaches to the list of threats. Trust nobody indeed. Don't trust IBM either.


Reengineering U.S. Government, Lou Gerstner, and John Madden

[Editor's Note: Today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

Shortly after the Super Bowl, I was speaking with a life-long friend, Mike Siani, NFL scout, coach and former Oakland Raiders wide receiver. I said, “You know Mike, I always loved when John Madden was your coach and on first downs he would use three wide receivers (Fred Biletnikoff, Siani, and Cliff Branch) and send you all down field for a big gain pass play from QB Ken Stabler.“ (In Mike’s 9-year playing career alone, he averaged some 17 yards after each catch). “Today, most teams are so predictable. They run on the first two downs and then they try the pass on the third down.”

I can still hear it in Madden’s voice today when he says, I’d pass on first down, you’ve got be more aggressive right out of the box. Go for it!

Another person who liked “going for it” in business was Lou Gerstner, the former CEO of IBM. There are at least two things Lou is known for. The first is being bold and the second being successful.

If you are holding an American Express card, chances are it’s because of the way Lou Gerstner changed their card business between 1978 and 1989. If you enjoyed a Nabisco cracker during the Super Bowl, chances are you can thank Lou Gerstner and the fact the IBM is still one of the most successful American companies is definitely because of Mr. G.

His efforts at IBM are well known to me, in part because my business partner, Hunter Grant and I were hired as an outside consultant to review and second-guess their Internet strategy in the mid-1990’s. During that time, we looked at quite a number of projects and found them wanting, not because they didn’t have great people, but because they weren’t current with the rapid changes occurring in the information technology marketplace at the time. In addition, the organization had become so large, that it was getting in its own way in creating new products. Gerstner changed that, but only after instilling in the company a belief that change and a willingness to accept ongoing examination and criticism were good things that could help drive new growth.

It was no surprise to me then when I received my September 18, 2008 edition of BusinessWeek and found that Lou Gerstner had written a great column entitled. “It’s Time To Reengineer U.S. Government”. In this now five-month old article, Gerstner said:

Amid the ongoing turmoil, it seems obvious we must reinvent our government and create an efficient system that can anticipate and avoid major crises. Despite many opportunities, however, this is not a lesson we have taken to heart. Whether the task is fixing health care, upgrading K-12 education, bolstering national security, or a host of other missions, the U.S. is better at patching problems than fixing them. Part of the reason is that we have two parties lacking comity and a sense of shared national responsibility. But beyond the partisan divide, I would argue that the processes of government are broken, preventing us from taking responsible actions.”

In the article, he invited readers to visit USA.gov and there he said:

“You'll find thousands of directorates, agencies, boards, offices, and services replete with overlapping responsibilities, ancient priorities, and divided accountability.”

He continued:

“We do not need Departments of Commerce, Labor, and Education; we need a single Department of Skills that will promote an integrated approach to global competitiveness. Our military should be trained and structured around missions, not the elements of air, water, and land. That requires fundamental change, but instead, the Defense Dept. has established an overlay of "commands" to compensate for organizational deficiencies. Does it make sense, in 2008, even to have a Bureau of Alcohol, Tobacco, Firearms & Explosives? If so, why is it part of the Treasury Dept.?”

when it gets to the financial sector, Mr. Gerstner stated:

“... the regulatory processes in place are ad hoc and depend on leaders undertaking risky initiatives. Now more than ever, we need a single federal organization to oversee all of our financial institutions.”

In addition to calling for bipartisan action and business cooperation, he suggests the creation of a commission similar to the one established by President Reagan in 1982 that became known as the Grace Commission (named after its chairman and my former boss, the late J. Peter Grace, Jr.) It was this commission that uncovered great government waste. In its final report, the Commission concluded that nearly one-third of all taxes collected by the federal government were squandered through inefficiency. Although, as Mr. Gerstner stated in his article, 2,478 recommendations were made, few were ever tried.

I agree with Lou Gerstner. A government reengineering team should be created, reporting directly to the President. It should be vigorous in its effort to create change not for change sake but because we know that government no longer works. It is a broken system. We are much better off defining new requirements and creating a new government structure, that we can migrate to, one that is lean, flexible and powerful enough to efficiently meet the needs of tomorrow’s citizens.

Come on, don’t be afraid, you’ve got to be more aggressive out of the box. Go for it!

© 2009 WBSeebeck


Is A Total Surveillance Society Inevitable?

Recently, ZD Net Australia reported about the Legal Futures Conference at Stanford University in California. Several technologists and legal experts attended the conference. Many legal experts have again raised concerns that Web 2.0 has come at the expense of individual privacy. The article quoted an IBM technologist at the conference who said:

" 'A total surveillance is not only inevitable and irreversible, but also irresistible,' Jeff Jonas, distinguished engineer and chief scientist at IBM Entity Analytics, said during a panel on surveillance at the conference on Saturday. For example, imagine how convenient it would be to have RFID chips embedded in sunglasses so you could find them easily, Jonas said."

Is he serious? Inevitable? Irresistible? Just so I can find my sunglasses? Consider this:

"Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, acknowledged that she finds the location-based technology in her iPhone very convenient when she's trying to avoid traffic congestion but she doesn't want the government to be able to use that technology to track her down. The fact that all sorts of data about each of us is being gathered and is archived, searchable, and can be compiled to create profiles about each of us is what makes digital privacy intrusions so much scarier than pre-Internet life, she said."

Jeffrey Rosen, a law professor at George Washington University and legal affairs editor of The New Republic, warned of:

"... "privacy chernobyls," which he described as "new threats to privacy that have the potential to transform society in troubling ways". Examples include Facebook revealing more about its members than they care to have revealed and tracking their purchases without consent, as well as AOL inadvertently exposing search terms of 650,000 people in 2006."

Are attitudes in the USA unique?

"The perspective is different in other countries, Rosen said. Americans are, in general, concerned with preventing terrorism, while Europeans are concerned with protecting their individual privacy, he said. For example, the French will bare their breasts but not their salaries and mortgages, and the reverse is true in the US. "My fear is that the cultural differences will make thoughtful regulation difficult," Rosen said."

Probably the most important conclusion:

"Government regulation is necessary to ensure that consumers' privacy is adequately protected online, Granick and Rosen said. Orin Kerr, a professor at George Washington University Law School, said the Fourth Amendment can be applied to the online world in a way that balances individual rights with law enforcement  needs."

I find a total surveillance society easily resistible. Nor is it inevitable. We have a choice. What do you think?


One Year Anniversary of IBM Data Breach

First, I'd like to welcome the many new I've Been Mugged readers. Daily readership has grown five-fold since I started this blog. Hopefully, you have learned plenty about tips and advice to protect your identity and personal data. I've Been Mugged readers have learned how companies archive the personal data of employees, former employees, and customers; and how some companies fail to implement strong, state-of-the-art data security processes.

I started this blog in July 2007 after a former employer, IBM, exposed my personal information during a data breach. The IBM data breach occurred exactly one year ago today. The beginning posts in this blog present my conversations with IBM and the free credit monitoring service IBM arranged for it's ID-theft victims.

So far, I haven't experienced any more identity-theft problems as a result of this data breach. But, my sensitive personal data is still out there on IBM's "lost" or stolen data tapes for identity thieves to sell and abuse. I realize that the risk to me has not decreased because my data is still out there. At some future point, the thieves will crack the data encryption on those data tapes and then the "fun will begin."

Is it fair that IBM's free credit monitoring offer ends in June while the risk IBM created with its careless data handling continues indefinitely? Nope. But this is the way many companies deal with identity theft... shift the burden and risk to consumers. Companies would like consumers to believe that the risk ends before the free credit monitoring period ends.


No Updates From IBM At Its Web Site About Its February 2007 Data Breach

Every few weeks, I check IBM's employee web site for any updates about the company's February 2007 data breach. So far, IBM has not updated the site page. It contains the same content it did when I first visited the site in May 2007 -- eight months ago.

I had hoped that the site would have included updates about the status of the breach and data tape investigation. Maybe IBM will have recovered some or all of the "lost" data tapes by now? Or maybe the investigation might have uncovered some corrupt employees or vendor employees? I had hoped that IBM would have communicated more frequently with the identity-theft victims its breach created.

I am still hoping that during the next few months IBM will update the site with information about extending the credit monitoring service with Kroll after the year of free credit monitoring ends. Who knows, maybe the term of free credit monitoring will be extended.

It's hard to know what's going on with IBM since the page displays the same stale information it did in May 2007. Various news reports have reported that IBM cut the base pay of many employees by 15% after settling various class-action lawsuits which claimed that the company denied the workers overtime pay by illegally classifying them as exempt instead of hourly. Apparently, the pay cuts extend beyond the original group of employees identified in the class-action lawsuits.

Sounds like an attempt by IBM to play hard-ball.


In The News: Kroll, IBM, and I've Been Mugged

I've Been Mugged readers may remember that in August of 2007, I was interviewed by the American Banker publication for a news story about the credit monitoring service IBM had arranged with Kroll. While this article has been available at the American Banker web site for a fee, I just learned that it is available for free in the media section at Kroll's web site.


In The Blogosphere: IT Project Failures and The Hartford's Data Breach

Whether or not you work in the Information Technology (IT) profession, IT Project Failures is a well-written blog. Michael Krigsman chronicles the missteps, mishaps, fumbles, and failures by IT departments in corporations and in government agencies. Michael is a good friend and I hope that more IT professionals read his blog and learn from the examples.

In a recent post, Michael wrote about a data breach at The Hartford insurance company. Data breaches are just one of the many types of IT department fumbles and mishaps.

The Hartford's data breach reminded me a lot of IBM's data breach earlier this year, when IBM lost my personal data. After reading the news reports in PC World and Cleveland.com (Note: State of Ohio Insurance Director Mary Jo Hudson is asking good questions), both companies' data breaches have some similarities:

  1. Both companies lost backup data tapes
  2. Both companies claim the data tapes were "lost" and that there's no evidence that the lost data has been misused
  3. Both companies took more than a month to notify identity theft victims
  4. The data tapes included sensitive personal data like SS#'s and driver's license numbers, and
  5. Both companies offered the identity-theft victims one year of free credit monitoring

There are a couple differences. First, The Hartford was open and honest about the number of records exposed/stolen. To this day, IBM has never disclosed the number of records lost/stolen. It's difficult to trust a company that is not open and honest.

Second, The Hartford's data breach included lost/stolen customer information, while IBM's data breach included lost/stolen employee and former-employee information.

Now, back to the similarities...

It really seems dishonest when companies claim immediately after a data breach that there's no evidence of the data being stolen. First, the fact that they can't find the data tapes would be evidence enough. Second, identity criminals aren't going to announce that they've stolen or copied the tapes. Third, it'll be the identity-theft victims that discover the evidence, when identity thieves try to access their financial accounts or commit fraud in the ID-victims' names.

When companies make this claim of no evidence, they really need to be specific. Was their search for evidence only within the company? Did they approach law enforcement? Is their claim of 'no evidence' based on law enforcement's investigation?

Both companies seem to believe that one year of free credit monitoring is enough. It isn't. Identity theft victims have to monitor their financial and credit reports for a far longer time period than one year... like the rest of their lives. Both companies' data breach created this risk for the identity theft victims. So, the period of free credit monitoring should match the risk period.