Search This Blog

Monday, July 30, 2007


STATE OF MASSACHUSETTS TO PASS DATA BREACH BILL COMPARABLE TO CALIFORNIA’S SB 1386


According to an article in the Boston Globe by April Simpson, the state of Mass. will pass into law a bill giving consumers much more control over their sensitive data. They can stop any action to open new credit card accounts, and business and government must notify consumers of data breaches. Breached information would require things like a Social Security number, or anything likely to help ID thieves open accounts in a victim’s name. The drawback, as I see it—and understand that I haven’t yet studied the full bill—is that the requirement to notify carries that vague and potentially catastrophic terminology for security breaches identifying the contingency factor as those that “may place their (the consumer) personal information at risk.” (This differs from California SB 1386 which requires notification if data not encrypted) Who decides, and if it’s business or government, we already know what to expect. Eric Bourassa, an advocate for Massachusetts Public Information Research Groups (PIRG), while agreeing with parts of the bill, even expresses concern over the term, “deemed to be at risk.” However, for the first time, a state has dictated a method of compliance that puts the consumer in at least some control over a portion of their sensitive data. Mass. Consumers will create a password or PIN number to authorize the release of information by the big-three credit bureaus. In my concept, the individual should have full control over their name and personal data, and they should be compensated when it is sold. With a system similar to the PIN number approach, they would approve any transaction involving their name and private information instantly by e-mail or telephone. So now when the Mass. Bill passes, California won’t be the only leader in protecting consumers in the identity crisis.

FOCUS ON PROTECTING YOUR IDENTITY


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85331. We aren’t tax exempt yet, so donations are not tax deductible. Please contact me by e-mail (jack.dundiv@cox.net) with any questions.

TOO MUCH OF A DUMB THING


We all do dumb things in the course of our every day life, but, hopefully, this is limited when it affects those other than ourselves. Not so for the business world, according to a study by the Ponemon Research Institute, who found that 85 percent of the businesses you deal with have experienced a data security breach. Larry Ponemon, founder and chairman of the research group says, “many businesses may be discounting the long-term threat to customer retention and corporate reputation. This with 74 percent reporting the loss of customers; 59 percent facing potential litigation; 33 percent possible fines; and 32 percent a drop in share value. If they don’t even care about the effects of a data breach on the profitability of their company, how much concern could they possibly have for the loss of your private information? This is a preposterous position to be taken by the organizations that collect and maintain our sensitive data, but it gets even worse. Just under half of the breaches were from lost or stolen laptops and other storage devices, which shouldn’t even be leaving the building anyway with individual personal data. Incompetent employees handling the data came in second. With all the aggravation and money it could cost their customers, 46 percent of the study respondents were not going to implement data encryption for portable devices like laptops. Many businesses were going to require outside vendors to encrypt sensitive data in transit, which is a great move, but coming much too late.

WHAT U.S. BUSINESS THINKS OF YOUR PERSONAL DATA


I’ve been railing over the way business treats consumers’ names and personal data for over two years now, and now InformationWeek Research’s 10th Annual Global Information Security survey seems to come to the same conclusion, rating it as “The data theft time bomb.” To begin, two-thirds of the U.S. respondents—U.S. results are compared with China—feel just as vulnerable to security attacks as they did last year. In China, it’s 89 percent. Apparently that feeling doesn’t cause much concern since one-third in the U.S. list “preventing breaches” as their top priority to maintain security. Less than one-half for China. I’m not sure why the comparison with china, but there is an interesting parallel at the end of the article. Where the U.S. expects to decrease its spending on security to 12 percent this year from 13 percent in 2006, China plans 19 percent in 2007, up from 16 percent in 2006. Another statistic: China is fourth as a phishing host country, whereas the United States is first. It’s hard to tell if China is just ahead of us technologically, or the U.S. has just decided not to worry about the identity crisis. Here’s a shocker: nearly one-quarter of U.S. businesses do not measure the value of their security investment. Most experts agree that employees are one of the highest potentials—If not the highest—for a breach in security. It is this kind of fact that makes me go ballistic when I hear other supposed experts make claims that almost no identity theft results from large company data breaches. The rogue employee knows what the data is about, and sells it for the purpose of ID thieves reaping benefits from the data. This is an excellent study for those interested in the security of our sensitive data, and I highly recommend its reading.

DUMBING DOWN ON PRIVACY


Because there are so many data breaches and otherwise dim-witted things happening in the identity crisis issue, I have decided to lump a few together to try and emphasize just how wide-spread this problem is getting. Starting off, there was an incident where a subcontractor of St. Vincent Indianapolis Hospital made 51,000 patients’ names, addresses and Social Security numbers available on the Internet for a supposed “brief” period of time. If they really knew how long, they should say. But then, Fred Cate, director of The Center for Applied Cybersecurity Research at Indiana University, made an astounding statement: “For the people whose data were involved, statistically they can sleep well tonight,” based on his earlier comment that “such incidents almost never result in actual identity theft.” Completely irresponsible since we really don’t know how these data thefts will play out in the future. Next, the consumer takes front and center in a survey on data security by Vontu and Ponemon Institute of online buying habits. It seems that 36 percent of you responders said you wouldn’t use your credit card for purchases from Web merchants you don’t know. Duh…should be 100 percent. Then 45 percent of you said you wouldn’t provide your Social Security number to a Web site. Double duh…should be 100 percent. The first, Ok, maybe something you want real bad, but your SS#? Have you been in the closet recently? Finally, the iPhone craze came to a startling realization recently with the release from a group of researchers who were intentionally trying to find ways to exploit the new device. Right out the door, the attacker took control of the instrument through a flaw in the Safari browser that runs on the phone. A second exploit forced the phone into some trivial functions, but the same attack could be used to take over the communications of the device. The research team, Independent Security Evaluators, said, “there are serious problems with the design and implementation of security on the iPhone.”

EGG ON THE MOUSE’S FACE


I once observed Walt Disney instructing painters in Disneyland on just how he wanted them to paint the storefronts on Mainstreet U.S.A. I didn’t know him but a Disneyland PR representative who was giving me a tour prior to the park opening, told me of how Disney made sure of every detail of the operation at least once a week. Imagine his dismay if he knew a Disney subcontractor involved in the Movie Club sold an unknown amount of credit card numbers and other data from customer accounts. The company sent out letters to customers, one of which was received by an Atlanta man who provided it to Computerworld for their story, which includes excerpts from the letter. The subcontractor was Alta Resources in Wisconsin, who reported their employee actually sold the data to law enforcement people in a sting operation. Not your typical ID thief, who would have immediately gone to the Internet underground to make the sale. Disney did say the CVV codes—that three-digit number found on the back of most credit cards—had not been compromised. The letter-writer did make the same old tiresome statement that there was no indication of any improper use of the data. Disney did not offer any free credit monitoring, and “urged” their customers to contact financial institutions issuing the credit cards for questions re. their accounts. That’s not the way Walt would have done it, because the PR guy told me that Disney literally revered the people who came to his dreamland. It is also not the way most responsible companies would react. Brad Van Duser, the person who turned the letter over to Computerworld, commented on how, with all the recently reported data breaches, a “reputable company like Disney had not taken steps to thoroughly protect my credit card information.” Welcome to the “club” Brad.

Monday, July 23, 2007


JUNK MAIL PUBLICATION DM NEWS SAYS YOU LIKE UNSOLICITED CREDIT CARDS


Market research firm, Cardbeat, says 42 percent of U.S. consumers received their newest credit card from a pre-approved credit card offer, according to DM News. I don’t doubt the statement, since the credit card companies mail millions of these offers each year. Our household currently receives around five of these mailings weekly, and I don’t believe the majority of the American public “likes” this unsolicited potential time-bomb. It is all an ID thief needs to steal your identity, and start a process that could cause you years of grief. When Googling “unsolicited credit cards,” you get almost 2 million hits, and after scanning ten of the pages, all I saw was negative content. One of the sites, ConsumerAffairs.com, lists 11 pages of complaints dating back to2001, all against one company, Consumer Credit Services/First National Credit Card. A Washington Post article by Annys Shin comments on how she is “stunned by how many companies have contacted a credit bureau seeking information about (her).” And then the Ripoff Report also covers the Consumer Credit Services/First National Card about the company’s deceptive tactics, and includes a lawsuit filed against the company and its president, Eric A. Petersen. The DM News piece also mentions that British consumers use the pre-approved method for applying for their credit cards in percentages that are considerably less than the U.S. They prefer “take one” applications at teller counters. That’s probably due to the fact that citizens in the UK are more aware due to more stringent data protection laws there than we have in this country. You can thank your Congressional representatives for that.

ANOTHER VOTER REGISTRATION LIST WITH 167 MILLION REGISTERED VOTERS GOES ON THE MARKET


A company by the name of e-Merges.com just sent me material on their list of 167 million registered voters. Along with name and address, I can also buy your race, ethnicity, and date of birth. The latter, of course, is one of the essentials to steal your identity. There are several voter lists on the market. I counted 88 listed in Standard Rate & Data, the authority for list professionals. They come in all flavors: Democrat, Republican, Independent or just Other; they’re broken down by region, state, legislative district, baby boomers, pro-choice, voting viewpoint, affluent Americans, hunters, liberals, conservatives, pet lovers, even “devoted” voters, whatever that means. If you don’t know where I’m going, the emphasis here is on what the junk mail industry can do to a simple name and address. It’s called enhancement, and the more selective information they add to that name and address, the higher the price goes, and further out the window goes your privacy. E-Merges.com will sell you all 167 million names for $99,300. OK, voting registrations are public records, but not many people know that states can sell the data, according to a story from Wired.com. In 2004, a California privacy task force said the state should tell voters that it is selling voter registration information. In some states, even commercial marketers can buy the list, adding to it enhancements like income, purchasing histories, other demographics, and family lifestyles. You get the idea. Your life is an open book, and every page of it is for sale. Beth Givens, founder and director of Privacy Rights Clearinghouse, said California “hasn’t had the inclination or the resources to monitor companies selling voter lists or the people who buy them.” Another company marketing voter lists nationwide is Aristotle, who Wired.com claims in their 2004 article “was selling voter information online to anyone who wanted to buy it, without verifying their identity or purpose.” So when you boil it down, if I want to exercise my right to vote, which is guaranteed in our Constitution, I have to give up my personal information, which is made public, and can be manipulated and added to for the sake of profitability, and then sold to just about anyone willing to buy. Capitalism at its best.

FOCUS ON PROTECTING YOUR IDENTITY


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85331. We aren’t tax exempt yet, so donations are not tax deductible. Please contact me by e-mail (jack.dundiv@cox.net) with any questions.

READER’S DIGEST SURVEY A BIT TROUBLING


In a recent copy of Reader’s Digest, they included a reader survey, which doubled as an entry form for their latest contest. No purchase necessary, but it’s not clear if you must complete the survey for entry into the contest. There are five questions, some with multiple parts. The one that bothers me most asks the reader what ailments they have. From bipolar disorder, to depression, to heart disease, to whether you have experienced a stroke. They also want to know what pharmacy you use, and whether or not you have health insurance. Finally, they want to contact you by e-mail, and ask for that address. Up to this point the survey is anonymous, and you don’t have to provide your e-mail, but how many do this either without thinking, or with the belief it will help them to win the contest? In this last question, and also in the contest rules, you can opt-out of having your subscription information (name, address, etc.) “shared” with other junk mailers. In order to do that, you must write to RD. Reader’s Digest has 64 lists of their subscribers on the market, and the term “shared” really means selling your name; over 1.2 million of them, for around 12 cents each. Either by other surveys, or through lifestyle enhancement of their list, they know all about your children, if you have pets, your ethnicity, age and income, whether you are an investor, your religious preference, and much more. RD is no different than other junk mailers who crave every scrap of private information they can collect on their customers. There have been problems in the past. In 2005, RD settled with the state of Connecticut for “deceptive marketing of its sweepstakes contests,” paying restitution of $171,000 and $25,000 to the state. And back in 2001, the company made a settlement with 32 states and D.C. to make changes in its sweepstakes mailing practices, and pay refunds of $6 million to customers, plus $2 million in attorneys’ fees. The march to know everything there is to know about every individual in this country takes weird turns and uses alluring bait such as surveys combined with contests, but the end result is still the same: The complete erosion of your privacy.

JUST HOW INCOMPETENT WILL U.S. GOVERNMENT AGENCIES BECOME?


If I had to really guess, my conclusion would be that there’s still more ineptitude coming. Especially when it comes to protecting the privacy rights of consumers. The House of Representatives is probing just why the Federal Trade Commission (FTC) and the Federal Reserve haven’t implemented law to help the American public repair errors in their credit reports, according to an article by ConsumerAffairs.com. In a 2004 study done by the U.S. Public Research Interest Group, 79 percent of the credit reports checked had errors of some kind; 25 percent had errors that could result in denial of credit. The law House members refer to requires the major credit bureaus (Experian, Equifax, and TransUnion) to “overhaul their customer support procedures and provide free credit reports.” Apparently this isn’t getting done, and Rep. Carolyn Maloney (D-NY) is accusing the Feds of consistent inaction. I wonder how many of these House members are also talking to junk mail and financial industry lobbyists regularly about just why they don’t want the law implemented? Odds are there are several, and the reason they want the inaction to continue is money. Free reports and good customer service costs them mucho bucks, and spending money on the consumer is not in their short term or long term plans. Case in point. For years I have subscribed to Experian’s Credit Manager for $90 a year to be able to access my credit report and credit score any time I want to. Nothing had ever gone wrong until I posted articles on Experian that were unfavorable but true. Soon after, my entire credit history vanished from Credit Manager, and I was unable to access the report. You can read two stories on this issue: “Level of Competence at Experian Credit Bureau Found to Be Low,” and “Experian Denies My Right to Dispute Credit Report Problem.” In summary, I ran into the most incompetent group of customer service representatives—and that includes every level of management—that I have ever experienced anywhere. My credit report finally returned mysteriously, but I have never been given a reason why this happened. Privacy advocates at the House hearing argued that the credit reporting industry has been cost-cutting in their compliance of the FACTA law, which is the one in question, and are even outsourcing their dispute processing to low-wage countries like the Philippines, Jamaica, and Costa Rica. National Consumer Law Center staff attorney, Chi Chi Wu, says credit bureaus “treat disputes as a nuisance…devoting as little resources as possible by using automation that produces formalistic results.” As a major recipient in the $4 billion made annually from the sale of names and personal data, it is time for credit bureaus to clean up their act!

LINDA FOLEY ADDRESSES EMOTIONAL SIDE OF IDENTITY THEFT


Linda Foley, who founded Identity Theft Resource Center (ITRC) after being devastated from an ID theft that resulted from an act by her boss, is certainly a good candidate to discuss the emotional side of this issue. In a recent Health magazine article, she laid out five ways to deal with feelings while trying to put your finances back in order. First, you deal with the anger from having something this personal happen to you. Instead of dwelling on the incident, let it work for you in fighting back against the bad guys. Second, don’t take on a guilt trip because you think you weren’t careful enough, and definitely don’t turn inward, blocking out friends and family. Three, you aren’t alone; get help immediately, seeking out those who have either experienced this fraud, or experts in the field like ITRC and Privacy Rights Clearinghouse. Four, if you really hit bottom and can’t get out of bed in the morning, this is the time to turn to a professional for help. And five, you’ll eventually be able to face up to the fact that it happened, you did something about it, and now it’s time to move on. However, moving on should include taking every precaution to see that it doesn’t happen again. After blogging on this subject for over two years, I do want to add the fact that most identity theft is preventable. Having said that, the U.S. Congress has been of no help with this problem, so it is up to the consumer to take responsibility. To do that, we must be awarded full control over our names and personal data.

Saturday, July 14, 2007


CERTEGY DATA LOSS TAKES ON WEIRD LIFE OF ITS OWN


When Certegy Check Services’ former employee William G. Sullivan decided to sell 2.3 million names he had lifted from his former company, a series of events began to take place that should have tipped off even the most inexperienced junk mail professional. A data broker by the name of Jam Marketing, located in the UK, bought the records and resold them to several junk mail companies. The data was comprised of names and addresses and bank card and credit card information. During the 35 years I was a data broker, I required absolute confirmation of the source of every name I purchased for my clients. And I cannot remember one of my clients who, if he or she did not recognize the mailing list, didn’t grill me thoroughly on where the names came from. That was standard operating procedure with me, and with most of the data brokers in the industry. In the case of the Certegy incident, safeguards seem to have completely broken down, or they were non-existent. According to junk mail publication, DMNews, neither Jam Marketing nor the junk mail companies knew what they were buying, and Certegy confirmed this when filing legal action against Sullivan. Let’s look at some of these companies who bought from Jam Marketing. Strategia Marketing, a telemarketing firm previously named Suntasia Marketing, has unsatisfactory records with the Better business Bureau in Florida (pattern of complaints from misrepresentation of sales practices to delivery issues), and the Northwest (amassing over 160 complaints). Whitehat.com Inc., a company formed by the combination of American Computer Group in Tempe, AZ, and CompuTech Direct of Chicago, both of which I know as computer processing companies for junk mailers. Quality Teleservices Management, inc. doing business as Custom Response Teleservices; the former appears to be an insurance company registered with Idaho, but located in Nebraska; the latter a telemarketing call center headquartered in Omaha, NE. Since no official explanations have been provided by the junk mail companies buying the lists, it is impossible to determine what really happened. The question is… should they have known what they were buying? In my opinion, yes, they should have.

FOCUS ON PROTECTING YOUR IDENTITY


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85331. We aren’t tax exempt yet, so donations are not tax deductible. Please contact me by e-mail (jack.dundiv@cox.net) with any questions.

WANTED: ACCURATE ID THEFT REPORTING AGENCY


Congress recently asked the General Accounting Office (GAO) to basically evaluate the current identity crisis in relation to the harm caused by personal data breaches. There were at least ten articles on their study, each adding pertinent information to their specific area, with headlines from “Small risk of identity theft” to “Data Breaches Frequent, Effects Unknown.” Not one of the articles—which I don’t link to for obvious reasons—addressed the point of this issue: that just one data breach is too much. The data collectors—from junk mailers, to medical institutions, financial and mortgage firms, and hundreds of non-junk mail companies—are constantly amassing and selling your private information, which, to me, constitutes a fiduciary trust that is being broken on a daily basis. GAO immediately bogs down in trying to explain away the threat by arguing that most large data breaches don’t result in ID theft. That concept was quickly nixed in a July 10, 2007 SC Magazine (for IT professionals) article by Jim Carr, “Four charged in ID theft ring.” These Cuban nationals used data they bought in the underground to counterfeit credit cards. Carr quotes Mari Frank, an attorney and consumer rights advocate, that since there is such a large number (over 200,000) of credit card numbers involved, “there’s a huge connection between data breaches and ID theft.” Exactly what I have been saying in this blog for over two years. Privacy Rights Clearinghouse (PRC) does have its “Chronology of Data Breaches” which is an excellent documentation of the problem. PRC also lists the 2007 Javelin Strategy & Research Survey that corroborates the severity of the issue: 8.4 million victims in 2006 at a cost of $5,720 each for a total loss that year of $49.3 billion. This is why I am infuriated when government entities like the GAO, who know little of the specifics of the overall situation, make stupid assumptions like there’s no real identity theft problem. If it isn’t what they meant specifically, they should keep their mouths shut and defer to organizations like Privacy Rights Clearinghouse and Javelin.

STATES CONTINUE TO LEGISLATE DATA BREACH LAWS
I can see the state legislative committees now, meeting in small rooms to determine how best to do what the U.S. Congress has bungled over and over: Pass legislation that will protect consumers from identity theft. Unfortunately, outside the state of California, most of these laws aren’t up to solving the identity crisis. Even the Golden State bill doesn’t go far enough, because it doesn’t incorporate my concept of individual control, giving the consumer the responsibility of guarding their identity. But three more state laws were passed in Illinois, Louisiana and New Jersey the first of this year, according to ComputerWorld. There are 35 state data breach bills in effect now, including the latest three, and one would think this would wake up a junk mail industry and non-junk mail businesses that collect your private information, as a warning that there will be a nightmare conglomeration of rules to follow in order to do business. There are two ways to solve the problem: one) business voluntarily gives control of consumers’ names and personal data to the individual in an arrangement where the name-holder has the accountability to determine how and when their sensitive data is used and sold; two) pass federal legislation that awards this control to the consumer. In both cases, the individual should be compensated when their names and private information are sold. The junk mail industry trade organization, the Direct Marketing Assn. (DMA) should be taking the lead in this issue, but, as a former data broker of 35 years, the list business leaders would probably fire DMA president, John Greco, if he came up with such an insane idea. Leadership is hard to find these days.

CALIFORNIA STATE SENATOR INTRODUCES BILL TO HALT ORWELL’S BIG BROTHER


ZDNet.com reports from an Associated Press article that California Democratic state Senator Joe Simitian has introduced a bill that would prevent employers from outfitting their employees (usually in the shoulder) with RFID devices that could track their movements. RFIDs are computer chips that can be inserted under a person’s skin, and are able to hold all kinds of personal data and be read by tracking instruments from various distances. The technology is developing faster than individual protection requirements, as usual, thus, another flavor of Big Brother to threaten our privacy. To illustrate the critical nature of this situation, the 45.7 million credit card numbers stolen in the TJ Maxx incident were the result of criminal hackers in the company’s parking lot using a directional antenna to download the data. Denise Richardson, a colleague in this battle for our privacy, did an excellent article in American Chronicle on the RFID threat, documenting an investigative reporter’s experiment from the local Miami ABC affiliate. With a RFID chip reading device, she was able to skim the private information from the wallets of several co-workers at the TV station that each felt was secure in their pockets or purses. But Roxanne Gould, representing a high-tech industry group says Simitian is wrong, and that her organization is opposed to “anything that demonizes RFIDs.” What we should do is implant a chip in Gould with her sensitive data, and let her walk around for several weeks, and see just how many times she is hacked, while tracking every move she makes. See how she likes Big Brother on her back.

JUNK MAIL INDUSTRY FOCUS ON PROFITS, NOT CONSUMER


Back in May of this year, John Greco, President of junk mail trade organization, the Direct Marketing Assn. (DMA) welcomed participants to another of the industry’s conferences to figure out how to extract an extra buck from its loyal customers. (See story) This one featured the catalog and multichannel marketing, which employs multiple means to send you yet more junk mail. Although the conference didn’t address the needs of protecting consumer names and personal data, it did push the environmental issue with Greco announcing a new DMA logo, “Recycle Please.” He also called on the membership to police itself in the matter of things like recycling and reducing pollution. I hope they do a better job in this matter than they did several years ago when the DMA changed its policy to require members to give customers the right to opt-out of having their names sold. Some large junk mailers still do not follow this mandate; meaning they aren’t members of the DMA and not subject to it regulations. But I was most astonished by another statement made by Greco at the conference re. the relationship of junk mail advertising to broadcast and print media. His comments were based on a new program sponsored by the DMA called “Mail Moves America.” The point was that in the same way that TV and radio programs and newspaper and magazine editorial content are paid for by advertising, junk mail supports the postal system. So now let’s look at this analogy. In broadcast and print, everyone receives a return on their investment: TV and radio stations, magazines, newspapers and of course the advertisers. The viewers and readers are there, much as the junk mail buyer responds, but the personal aspects of their viewership or readership is not individually sold in the marketplace. But with the junk mailers, they hijack our names and private information, and place it on the market all over the world within hours of a transaction. And the $4 billion made annually from selling this sensitive data is all in addition to what you paid for the products or services purchased from the junk mail company. You, the consumer, are the very foundation of the most profitable area of the junk mail business, selling mailing lists, and you don’t receive one penny in return. How do you answer that, Mr. Greco?

Saturday, July 07, 2007


LARGE DATA BREACH TURNS INTO MYSTERIOUS BIGGER CONTROVERSY


Certegy Check Services Inc., St. Petersburg, FL, a subsidiary of Certegy, Inc., Alpharetta, GA, had 2.3 million consumer records including credit card and bank account numbers, plus other personal information, stolen by an employee identified as William G. Sullivan. He was fired, but during his tenure at Certegy, Sullivan had set up his own company, through which he sold the 2.3 million records to data broker Jam Marketing, located in the United Kingdom, who in turn sold it to several unidentified junk mail companies. Fidelity National Information Services, a financial processing company, is the parent of Certegy, Inc., and is a provider of solutions supporting financial services companies throughout the world. (See stories Assoc. Press and Digital Transactions) But the intrigue heightens when I discovered that Certegy Check Services was formerly known as Equifax Check Solutions. Equifax is one of the big six data brokers, and is also one of the big three credit bureaus. ChoicePoint is a spin-off from Equifax, headquartered in Alpharetta, GA, as is Certegy Inc. This incestuous looking arrangement has nothing to do with what happened to the 2.3 million records, at least as far as I know, but it points out my long running conclusion that your sensitive data is in a constant state of flux between a huge confederacy of data brokers and junk mail companies. It’s been reported the personal information wasn’t sold by Sullivan, only names and addresses. This story is unfolding as this is written, and the most important facts are yet to be revealed: who were the junk mail companies buying the stolen data (both the data broker and the junk mail companies say they didn’t know it was stolen). I’ll have the latest on this incident in my next post, along with some observations on this series of suspicious transactions.

PERSONAL DATA MOST VULNERABLE IN HIGHER EDUCATION


Colleges and Universities are the most likely for data breaches, according to The NonProfit Times. I looked for confirmation of that on the Privacy Rights Clearinghouse Chronology of Data Breaches and not only found validation there have been 158 higher education breaches, but that three of them were prior to the ChoicePoint incident in February 2005. With the number of breaches between Jan. 1, 2005 and July 3, 2007 adding up to 615, the 158 by colleges and universities represents almost 26 percent of the total. And that doesn’t even include those happening in lower education. Some have had multiple incidents like the University of Colorado, Notre Dame, U. of San Diego, Purdue, Northwestern, U. of Texas, and Ohio State. All of these had three or more breaches; U. of Colorado seven, Purdue and U. of Texas five, Northwestern four. Just this past May of 2007, InfoWorld reported a data breach at the U. of Colorado that had resulted from an unpatched flaw in their Symantec anti-virus that exposed the Social Security numbers of 45,000 students. The patch had been issued by Symantec but the University had not applied it. Since this school’s first incident occurred in January of 2005, it is reasonable to hope that someone would have learned something about security in almost two and a half years. But the big one occurred at the U. of California-Los Angeles (UCLA), where hackers made off with the names, addresses, birth dates, and social Security numbers of 800,000 students, employees, and faculty. According to ConsumerAffairs.com, not only was it the biggest, but it took over a year to discover the intrusion. Someone isn’t minding the store, and predictions are that the problem will only worsen. With 44 higher education breaches already in 2007—there were 58 in 2006—this should be a banner year for the ID thieves, as I have repeatedly predicted.

FOCUS ON PROTECTING YOUR IDENTITY


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85331. We aren’t tax exempt yet, so donations are not tax deductible. Please contact me by e-mail (jack.dundiv@cox.net) with any questions.

iPHONE FORCES RELEASE OF SOCIAL SECURITY NUMBER TO ACTIVATE


Michael Tiemann has a great article in News.com, “Before you activate your iPhone, read this!” that re-emphasizes the need for a law prohibiting private business to ask consumers for Social Security numbers. It may sometime be necessary in the financial or medical communities, and for critical security checks, but should never be used in a business transaction. Apple and AT&T are demanding it to activate the new iPhones; 525,000 were purchased in the initial offering. Tiemann is concerned about the secretive nature of the way Apple conducts business, but he is downright alarmed over AT&T’s possession of his wife’s personal data, which they will get to activate her iPhone. He cites the class-action lawsuit against AT&T for allowing the National Security Administration (NSA) “unchecked backdoor access” to its communications network and record database. There is also testimony from the Computer Professionals for Social Responsibility (CPSR) group before the Special Joint Subcommittee Studying State and Commercial Use of Social Security Numbers for Transactional Identification. They recommended against any national standard for personal identification, with or without the Social Security number, where people would be linked to their private information. As late as June of this year, the FTC told the US House Committee on Ways and Means’ Subcommittee on Social Security, that government and business should not collect the SSN unless absolutely necessary. Here’s a solution to this whole mess from a local weekly, Phoenix newspaper, The Tatum Times’ “Ask Mr. Modem column.” This guy says most people settle for the last four digits of whatever ID number they ask for, and, if they don’t, and it’s your SSN, just rattle off the first six digits that come to mind. Why didn’t I think of that?

DICK CHENEY’S PART IN SHANGHAIING OUR PRIVACY


Although, technically, Vice President Cheney had no control over the Cincinnati federal appeals court that rejected the NSA spying lawsuit, the decision was right along party lines: two Republicans in favor, the Democrat against. According to an MSNBC article, the majority decided the plaintiffs lacked standing to sue without proof they were monitored by the government. The dissenter, Judge Gilman, says they were in their rights, and that “it was clear the surveillance program violated the Foreign Intelligence Surveillance Act of 1978.” There may be some justification here the plaintiffs were not directly challenged, but almost every top legal authority agrees that FISA was violated. Slate had an excellent piece recently by Bruce Fein, “Impeach Cheney,” that seems to tie Cheney in with all this administration’s shenanigans in usurping the public’s individual rights. It quotes Alexander Hamilton in the Federalist Papers indicating “an impeachable offense is a political crime against the nation.” Fein says Cheney’s “multiple crimes against the Constitution clearly qualify.” With Big Brother II actually in control of Big Brother I, the Vice President has virtually no use for individual liberties. Fein refers to a number of incidents where Cheney commandeered the rights of others; like military commissions acting as judge, jury and prosecutor; kidnappings and secret detentions in foreign prisons of suspected terrorists; advocating and authoring signing statements that affirm the president’s intent to disregard the provisions of bills he thinks unconstitutional. But the hum dinger was Cheney as architect of the National Security Agency (NSA) warrantless spying. His contention that the president can just ignore any law that stands in the way of gathering intelligence is alarming, and the Senate Judiciary Committee has now subpoenaed his office for records on the matter. The NSA incident alone should qualify him for impeachment.

WHAT PRIVATE PATIENT INFORMATION LURKS IN THESE SEQUESTERED HALLS?


It was bound to happen somewhere, and it finally did in the medical profession’s implementation of the 1996 Health Insurance Portability and Accountability Act (HIPAA). You take a bunch of people who are professionally trained, and with a level of focus necessary to be able to save our life, and who don’t know diddly about the privacy issue, and they are bound to overreact. Apparently the medical profession does not know how to interpret HIPAA, and the higher-ups aren’t taking the time to bring the workers up to speed. In a New York Times article by Jane Gross, she recounts an incident where Gerard Nussbaum was threatened with arrest and eviction from a hospital for trying to make sure his father-in-law was being properly cared for. They picked the wrong person because Nussbaum is a HIPAA consultant. It all stemmed from the fact that these nurses in the Palos Heights, IL emergency room were about to give Nussbaum’s elderly relative a dangerous second dose of sedatives. He was only looking out for the father-in-law’s best interest, and it should be criminal to prevent him from doing so. HIPAA even says the health care providers may share information with others with no signed authorization necessary, unless the patient objects. Ted Kennedy (D-Mass) sponsored the original version of HIPAA, but was “dismayed” by the “bizarre hodgepodge” of regulations added. He and Sen. Patrick Leahy (D-VT) plan to introduce legislation to add some oversight to the dilemma. What is really perplexing about this whole situation is that in the very specialized area of medicine we have massive overreaction, yet when our individual rights are trampled as they are regularly by the Bush administration, the American public responds with an apathy that has become both predictable and pathetic.