Search This Blog

Friday, February 29, 2008


Several years ago I began thinking about what would happen if we didn’t take steps to protect the personal data we collected in the junk mail industry. At the time I was in charge of buying mailing lists for a West Coast catalog company, and also selling the list of our customers to other junk mail companies. The use of credit cards for telephone orders was gaining momentum, which meant we had the buyer’s credit card number along with his or her name and address. Although identity theft wasn’t a force at the time, it seemed to me that additional security for customer lists would have to parallel the supplementary private information we were asking for. And then I saw an acquaintance from the company’s data processing department walking out on a Friday afternoon with a magnetic tape (hard drives were in the development stages then) in his hands. I casually inquired what was on the tape, and he told me it was the catalog’s customers. Obviously feeling guilty about having the company’s source of income in his hands and at his residence for the weekend, he quickly added he had to deliver it to a third party for processing on Monday, and didn’t want to make the trip to the office first. It was then that I knew the junk mail industry was in trouble. Earlier I had had a taste of the problem when a large database compiler I worked for left tapes with private information lying around on tables unattended. I also witnessed the same thing over the years in computer facilities that were service centers for junk mailers. The only answer is that no one really knew the value of this personal data. At least not how to put it together with things like date of birth and Social Security numbers, along with name and address, which are the ingredients needed today to steal your identity. This is all a prelude to an excellent article I found recently from SC Magazine, titled: “You have to think like a thief to protect your data.” Which proves the point that we didn’t do our job in the 1970s,’80s and ‘90s in the junk mail industry to protect your names and personal data. And, based on the rash of data breaches in recent years, they still aren’t prepared. The SC Magazine piece makes a statement that I have been emphasizing for three years now: “Data theft is the number one motive for intentional data breaches.” The author continues with more familiar points that it is supported by organized crime, and sometime too tempting for insiders with control over our data to resist stealing and selling it for a profit. For this reason you have to outthink the crooks by making every effort to secure your private information, since you obviously have no control over how it is used. Here are some sites you can go to that provide info on prevention, if you suspect fraud, and if you are a victim: Federal Trade Commission; Privacy Rights Clearinghouse; Identity Theft Resource Center. Finally, at all costs protect your credit card numbers because once the bad guys have them, they go for as little as $5 on the underground Internet. Start thinking like an ID thief and you won’t become one of their victims.

Thursday, February 28, 2008


In 1991, Congress passed a feeble Telephone Consumer Protection Act that provided limited recourse to consumers sick of unsolicited telemarketing calls. It did include the right to sue on certain conditions, but generally was inadequate in stopping what was becoming the number one annoyance in the country. See history. But as we bounded into the 21st century, the consumer had had enough of junk phone calls and demanded immediate relief from what had now become the biggest aggravation in the American household. All, by the way, compliments of the junk mail industry. The public outcry worked, and George W. Bush signed the Do-Not-Call Implementation Act into law on March 11, 2003, followed by the Federal Trade Commission’s opening of the Do-Not-Call Registry on June 27, 2003. The latter was made permanent on February 15, 2008. It put a lot of companies out of business and many lost their jobs, unfortunately, but it made millions of individuals happy. 150 million, to be exact, who signed up not to receive these irritating calls. It took a few years but the “Do-Not” craze has taken shape once again, this time in the form of mailing lists and on the state level. Consumers are finally fed up over the loss of control over their names and personal data, and are looking for ways to take back this control. No help from the federal government, of course, but the states are jumping into the action to do what Congress refuses to do. There is an article in Deliver Magazine, which is a publication of the U.S. Postal Service, which recounts the states’ march toward “Do-Not-Mail legislation, starting with 8 in 2006, rising to 15 in 2007. The momentum is expected to continue. Jerry Cerasale, senior VP of government affairs for the Direct Marketing Assn. (DMA) says the bills are prompted by annoyance over junk mail, unsolicited mail wasting resources, and fear of identity theft from junk mail, which Cerasale says is unfounded. To the latter, I say, you have got to be kidding. How about all those credit card mailings—some pre-approved—that are sent out in the millions each year? The ID thieves are all but guaranteed a new credit card in your name if they are able to steal the mailing. Rep. Sara Gagliardi of Colorado is introducing a bill to establish a statewide registry for people who don’t want unsolicited mail, but at a news conference promoting the legislation, she was challenged by a postal representative. In a piece from the Rocky Mountain News, he reiterated how businesses would close, leading to more unemployment, which is true and regrettable. However, consumers have rights too, and it is their mailboxes that are cluttered by this junk mail. I do agree with Cerasale that these new laws shouldn’t shut off all mailings. Just get rid of what the household does not want: junk mail. There is a way. Give consumers control over their names and personal data, and let them decide what they want, and opt in accordingly.

Wednesday, February 27, 2008


In a recent San Francisco Chronicle article, the World Privacy Forum is reporting about the hazards of giving up your personal health records to companies that collect and maintain them, supposedly so you can easily manage your health needs. The catch, according to the WPF, is that most of these companies are not subject to federal regulations relating to consumer privacy and security. Doctors, hospitals and insurers must follow the guidelines of the Health Insurance Portability and Accountability Act (HIPAA) which establishes basic privacy and security standards on the handling of health information. But the same rules don’t apply to those companies outside the parameters of accepted health care givers. California, as usual, comes through with their Confidentiality of Medical Information Act that prevents these new health data collectors from marketing your private information without your permission. I did a post on one of these companies in October 2007 and learned some interesting facts. Microsoft’s Health Vault collects and stores your data, providing other health devices to manage your health, and guarantees you complete control. I wasn’t satisfied with their “Privacy Statement” in relation to how the data was secured online, so I contacted them and asked about whether or not it was encrypted, and, if so, at what level. (Lower levels of encryption are not secure against hackers) The answers I received were a series of explanations about online protocol security and the difference between high and low levels of encryption, all of which I knew. What I wanted was a commitment to what level Microsoft used in Health Vault. What I received was, and I quote: “As for the security on Microsoft's servers, I do not know. I am not a network or system administrator, but I'm sure they are using the best the industry has to offer.” Let’s see, how long would it have taken the guy to find out…five, ten minutes? Google is supposedly rolling out its own version of a medical services plan in early 2008, consisting of an online profile, a search for physicians, advice on health issues, and the ability to share this information with family and caregivers. With the recent extension of California’s data breach notification law to include medical information and insurance data, there is hope that other states with data breach laws will follow. After all, it was the Golden State’s S.B. 1386 landmark legislation that required ChoicePoint to admit to the breach in early 2005 that ushered in the identity crisis. If there was ever a need for control of private information, it is our medical records, which not only contain things like our Social Security number, but also ailments and medications taken that could prove harmful in seeking a job or health or life insurance. Not that we intend to cover it up, but rather the fact that in so many of these databases, there is so much inaccuracy. You might input your medical data correctly, but what if a doctor or a hospital makes a mistake and confuses you with someone with a life-threatening disease? But wait, that’s already happened without the help of these new databases.

More on the personal health information issue later.

Tuesday, February 26, 2008


The bulletin on ID theft from the U.S. Postal Service came in the mail last Friday with information supplied by the Federal Trade Commission. It was mailed to “Postal Customers” across the country so you may have to rescue it from your pile of things to read. If you can’t find it, go to the FTC site where the information originated. This is good advice and I recommend that everyone study the mailing or website, and keep it available for quick reference. In keeping with yesterday’s post on LifeLock, the company that sells ID theft protection services, it was made clear that “I do not believe in paying for identity theft protection that any individual can do free.” As an example, companies like LifeLock cannot protect you against a theft in progress, but the FTC information covers this in detail. The USPS brochure is headlined “Avoid ID Theft: Deter – Detect – Defend.” You’re covered from taking steps to stop the crime to how to handle being a victim. As an example, you are cautioned on six points for prevention including shredding, not giving up personal info like your Social Security number, and watching your online habits. That’s deterrence. Also be alert to detect possible fraud by checking on bills that don’t arrive on time, denial of credit without reason, and ordering free credit reports. If it happens, you can place a fraud alert on your credit report, close breached accounts, file a police report and file a complaint with the FTC. The circular even forecasts how ID theft can happen to you: dumpster diving for private info; skimming credit card numbers; phishing thieves pretending to be your banker, etc.; changing your address to divert sensitive documents; and just plain stealing your mail, wallet, etc. This is useful information and you’ll be glad you read it! Another good source for information on the identity crisis, as well as advice on preventing or dealing with the fraud, is the Identity Theft Resource Center. You can click on “Victim Resources” or “Consumer Resources” at the top of the page for answers to your questions, or visit the “Reference Library” in the left column. I recommend you go to the “breach list” appearing in red in the last paragraph, then check “scam alerts” for the latest on what the crooks are doing. You can find all of this on ITRC’s Home page in the link, above. I also recommend Privacy Rights Clearinghouse which has two of the best references for data breaches in their “Chronology” and “ID Stats” from Javelin Research. Both PRC and ITRC have been riding the crest of the identity theft wave, and have aided thousands in preventing victimization or help them recover from it. There are many who still remain apathetic about the potential of ID theft in their household, but fortunately the numbers are decreasing due to non-profit organizations like ITRC and PRC, and the non-stop media coverage over this crime. But that’s not good enough until we get the apathy level down to zero percent. Where do you stand?

Monday, February 25, 2008


Back in August of 2005, the Federal Trade Commission settled a case with Experian Consumer Direct, a subsidiary of the credit bureau, for deception in advertising “free credit reports” by failing to add the customer would be automatically signed up for credit monitoring services costing $79.95 each year. The FTC ordered Experian to give up $950,000 of its “ill-gotten gains. I posted on a personal incident with Experian about a year after this action in which my credit report vanished from the system for a period of two months after I posted some unfavorable comments about the company in my blog, with no explanation from Experian when it mysteriously reappeared. Article one and two. Coincidence or not, I had no record of my credit during that period. Following my first post on this incident, which explained my experience with an Experian customer service department that was completely incompetent, there were 47 comments supporting my findings. Since then, one of the top search engine search topics to my blog has been the problems readers have had with Experian. So now they are at the receiving end and don’t seem to like it. Experian is suing LifeLock, according to one of my favorite blogs, Pogo Was Right, alleging it is losing “millions of dollars a year because of LifeLock’s ‘illegal and fraudulent activities.’” Here’s a copy of the complaint, compliments of Pogo. Experian also claims it suffers a huge expense operating toll-free lines to process fraud alerts for thousands of LifeLock customers. My experience with their toll-free telephone numbers is that, either you can never reach a human being, or, if you do, they are clueless about how to help you. And then there’s the false advertising claim against LifeLock that makes the lawsuit seem like an overblown act of hypocrisy. Don’t get me wrong. I do not believe in paying for identity theft protection that any individual can do free. Aside from the fact that the protection is limited, some companies in this business never deliver what you pay for. There was an offer recently from my U.S. Airways Dividend Miles club for LifeLock, where I can get from 250 to 1000 miles to sign up. Although this may not be a direct endorsement by the airline, it looks like it is, and will be taken by many of its members as a recommendation for the service. In another article on MSNBC, it is reported that LifeLock has 700,000 customers that pay $120 per year for their service. This translates into $84,000,000 in the pockets of the company, most of which results from scare tactics in the media and in advertising, and an unending quest by consumers for “convenience.” On that one word was the junk mail industry built. In the MSNBC piece, Experian contends that LifeLock is no protection against theft already in progress, and in many cases is unable to stop undocumented workers from ripping off you Social Security number to get a job. Are you ready yet to support my grass roots effort to grant consumers control over their names and personal data?

Saturday, February 23, 2008


In yesterday’s post about Best Buy’s loss of a customer’s computer resulting in her having to file a $54 million lawsuit to get their attention, the point was made that incompetence with our names and personal data has risen to the highest levels in big business. Three months Raelyn Campbell had to wait just to find out the computer was lost, when all this time she knew her tax records were on the machine available to ID thieves. When Best Buy offered to settle, it was a paltry sum that didn’t even include the cost of the laptop and software. That’s when she decided to sue. But that was yesterday, and today the subject of the post is a personal incident my wife had with an Office Max store in Scottsdale. Arizona. She was returning faulty ink cartridges, and the clerk required that she give up her driver’s license number, which he input to Office Max’s database as she watched with alarm. My wife thought when he asked her for the ID that the clerk needed it only for identification, but he indicated it was “company policy” to record the driver’s license number in their system. When my wife protested, the store manager was called, and he confirmed the policy. Since we monitor our credit report on almost a daily basis, she let it go and promptly came home to relate what had happened. When I came down off the ceiling, I immediately composed a letter to the Office Max president, Sam K. Duncan, explaining our shock, and demanding an explanation, as well as the deletion of my wife’s license number from Office Max’s database. Of course Duncan didn’t answer but, Cindee, with no last name, of course, from the company’s Executive Resolution department, did reply with an apology, and assured me it “is not our policy to swipe a customer’s driver’s license into the computer for a return.” She had to tell the store manager, who apparently did not know this. In the meantime, I had reported the incident to all the appropriate privacy organizations, as well as filing a complaint with the Federal Trade Commission, which I related to Cindee in a follow up e-mail. This led to a string of e-mails where I demanded confirmation the driver’s license had been removed from their database, which I received. This episode illustrates on a first-hand basis the incompetence of people who are collecting our private information, and how the higher-ups are both oblivious to their actions and lacking control. I decided to look further into Office Max’s experience with customers’ sensitive data, and ran across a 2006 case where the firm was investigated as the source of debit-card theft in which the company was cooperating with federal authorities. Digging further, also in 2006, a former Office Max worker in Alameda, California was arrested for allegedly using a customer’s credit card number to pay $1,000 in telephone bills. The suspect, only 19, admitted the theft. So, there was opportunity, and someone, a former employee, took advantage of it. And I am not sure there was any way to prevent this short of granting consumers control over their names and personal data.

Friday, February 22, 2008


No, they have nothing to do with each other. But in both cases it shows the incompetence we are dealing with when it comes to our personal data. In the Best Buy incident, a customer bought a laptop, also purchased extra warranty coverage, tried to use that when her computer had a problem, and ended up losing her laptop, and private records including copies of her taxes. In an Information Week story, the whole episode is played out like a comedy of errors much like the old Keystone Kops movies. Best Buy’s Geek Squad took the machine to repair a power switch, and it hasn’t been heard of since. It was three months before Raelyn Campbell even found out her laptop was lost, which in itself is a violation of Washington, DC law that requires notification of a security breach because tax records were involved. Campbell filed a $54 million lawsuit to get their attention, and it worked. A fellow blogger and privacy attorney, William Morriss, did a post on this you will want to read here. It is his professional contention that Best Buy will spend much more money than what the victim originally asked for in compensation for the lost computer, due to potential legal fees and eventual damages to Campbell. Morriss also sees the outcome as “a powerful example of how allowing consumers to protect the security of their own data can have beneficial effects beyond consumer privacy.” He also told me that a person’s information is essentially an extension of that person, and having respect for information is really about having proper respect for the subject individual. This phrase should be hanging in the board room of every business in the U.S. that collects names and personal data. What it has come down to is the fact that many companies respect neither the private information nor the “subject individual” which is evidenced by the alarming number of data breaches that just keep on coming. There have been 44 just since the first of this year, with 443 in 2007, 315 in 2006, according to the Identity Theft Resource Center, in an Information Week article. Folks, if we keep growing the identity theft business at the rate of nearly 41 percent a year, we are headed for a catastrophe. More numbers include 127 million personal data records lost or stolen in 2007 from the 443 breaches, compared to 20 million in 2006. Granted, 94 million in 2007 were from one company, TJX (TJ Maxx, Marshalls) but even without that, there was a 65 percent increase of records exposed in 2007 over 2006. And if you think all this sensitive data is just going to remain dormant somewhere, think again. There were 8.4 identity theft victims in 2006 averaging $5,720 a loss. However this was down from 9.3 million in 2005. But even with a comparable decrease in 2007, there will still be 7.5 million victims. I don’t think that’s acceptable.

Tomorrow: how Office Max “inappropriately” obtained my wife’s driver’s license number. Another episode of the Keystone Kops.

Thursday, February 21, 2008


There have been 44 personal data breaches since the first of the year, and more than half of them, 23, have occurred in the educational community. Most are on college campuses, and include such prestigious schools as University of Minnesota, Georgetown, Penn State, Baylor, U. of Wisconsin, Iowa, and Georgia, and New Mexico State. On a long term basis, higher education has accounted for just over 25 percent of all breaches, but 2008 is starting with a bang. There is a 184 page report on “Educational Security Incidents-2007” you can see here, and I am going to highlight some of its major points in this post. 2007 breaches in education rose 67.5 percent to 139, affecting 112 institutions that number a 72.3 percent jump over 2006, according to Inside Higher ED. Security incidents involving social networking sites like Facebook are increasing on 13.2 percent of campuses. More computer hardware is being stolen, and it was revealed that, overall, in 47 percent of the incidents, employees were “in some way” responsible. The larger the university, the more likely they are to be targeted. This makes sense since the bigger schools will yield the most data, which includes name/address, birthday, and Social Security number. Inside Higher ED reports that the education community lost, had stolen or somehow disclosed 1,085,708 Social Security numbers in 2007 in 103 separate incidents. It is no secret that data security at these institutions is some of the worst in the country, and apparently is not improving. There is a good article on titled, “Going back to school on security,” which speaks for itself. It also documents recent data breaches by school, with specifics relating to each. The author recommends three steps for improvement: 1) educate the ones handling the data about the importance of security; 2) the school should have a written contract with data handlers; 3) police the site regularly to insure there is no personal data revealed. Maybe this is obvious to many, but I have not heard the question raised yet. It is: don’t these larger schools teach courses in data security in their computer science departments? If not, they should, even the smaller colleges. If they do, has anyone thought to form a task force putting the professor of this curriculum in charge of determining what the school’s problem is, and recommending steps to fix it? Or is this just too simple a solution?

Wednesday, February 20, 2008


Periodically I cover junk mail lists on the market with attention directed to those that contain the most private information about the individual. I point these lists out to you because you should know who is keeping tabs on your daily activities and lifestyle habits. There is one thing that I can guarantee about these lists, and that is…your name, address and sensitive data will probably outlive you. One such list is AmeriLINK from KnowledgeBase Marketing, which professes to have private information on 230 million individuals nationwide. That’s about 76 percent of the total population, and they aren’t even one of the big-five consumer database companies (Equifax, Experian, TransUnion, ChoicePoint and Acxiom). They are big enough to have collected and made available for sale a wealth of information on most of the American public. Facts like your household income, your date of birth, your net worth, your telephone number, all arranged conveniently with your name and address. It’s the kind of data ID thieves would kill for. But that’s not all. For 45 million of you, there is voting data indicating your party preference. They know what credit cards you carry, and when you opened these accounts. That info isn’t as significant as the fact that the credit card company gave it up specifying you as the holder. And one of my biggest concerns in this area is the selling of your medical ailments. This covers most all the cancers, high blood pressure and cholesterol, diabetes, heart disease, including heart attacks, Alzheimer’s disease, erectile dysfunction, depression, lung disease, and the list goes on and on. The release of this kind of data, which points right to the individual, raises all kinds of privacy flags when it comes to applying for health insurance or for a job. Yes, you must be honest with potential insurers or employers, but my concern is the amount of potential inaccurate data in these lists. In a study by non-profit, Privacy Activism, they found errors—Including name, address, Social Security number—in 67 percent of background reports from Acxiom, 73 percent from ChoicePoint. If you smoke, drink or gamble, someone can buy this information, along with the fact that you travel frequently. If you have taken an equity loan on your house, the original purchase amount, who owns the property, the lender’s name, interest rate and loan type, along with the mortgage term are recorded, ready for sale. If you move, what kind of house you moved from and to, the distance of the move, and the new and previous address. They have a list of “attitude” categories from “adventure seekers” to “youth chasers.” And then some quirky selects like “I am at capacity,” “I am down to earth,” and “I am devoted,” which are results of combining all your demographic and lifestyle data and through computer modeling, predict what your core values are. This last one gets creepy, and smacks of Big Brother. In the case with companies like AmeriLINK, you just have to hope they have data breach security in place, and that all employees are honest and aware of the potential of information loss. On the other hand, we could grant consumers control over their names and personal data which would insure this security. AmeriLINK and other junk mail list companies like them could still sell our private information, but with the consumer’s finger on the approval button, and aware of any transaction using their personal data. The real upside of this move is that identity theft could probably be eliminated.

Tuesday, February 19, 2008


Industry publication DM News has partnered with Pitney Bowes to produce a glorifying portrait of the junk mail business as being concerned about the environment. A broad statement was made from the report that it “suggests consumers greatly overestimate the environmental impact of direct mail (junk mail), a fact that likely colors attitudes toward the medium. It goes on to say that people enjoy their mail and do not want to stop receiving it, even if that were to benefit the environment, and that they are open to industry efforts to police itself. Reading further in the release, it was noted that junk mail is responsible for only 2 percent of municipal waste in the U.S., according to the environmental Protection Agency. As a former junk mail list/data broker, I can assure you that the industry’s concern over the environment—at least during my 35 years—extended only to the point that it did not affect the bottom line. Sure they thought about it, even some mailers used recycled paper, but there was never an all-out crusade for change that I know of. But that’s not the point. The point is just what does that 2 percent of junk mail represent, considering that it is a medium forced on a high percentage of the public? I know this because, as a data broker, the junk mailers to whom I sold names and personal data had an expectation of only 2 responses out of 100 pieces of mail sent (2%). Although some of this lack of reply is due to wrong product or service being delivered, there is no way this can account for 98 percent not responding. And in a report cited by New American Dream, a non-profit devoted to conserving natural resources, 44 percent of junk mail is thrown away, unopened. So what does all this add up to? More than 100 million trees lost each year from junk mail, with nearly 6 million tons of it ending up in municipal waste; each consumer will get 560 pieces of junk mail each year, according to Global Junk Mail Crisis, accounting for the majority of household waste; 28 billion gallons of water are wasted yearly to process paper for junk mail; declares that Americans pay $370 million annually to dispose of junk mail that is not recycled; 41 asserts that due to the high concentrations of heavy metals in junk mail inks, it is difficult to recycle. Based on these statistics, I find it hard to feel sympathy for the fact that junk mailers are burdened with an attitude toward their industry that is considerably less than illustrious. Especially when there are ways to reduce the unsolicited volume. First, predictive modeling programs that can target those who want certain products and services, something junk mailers have been reluctant to do for years due to the cost. Second, organize an industry coalition that would embrace my concept of giving consumers control over their names and personal data. Until then, by sending out 100 catalogs or whatever with the baggage attached that I have documented above, and only 2 people respond to this effort, it will continue to be junk mail.

Monday, February 18, 2008


I just received my new voter identification card, and, as many Arizonans, and those of you from other states as well, I am not listed as an “Independent” party voter like I wanted to be, but rather as a PND: “Party Not Designated.” Sounds like a sinus infection. This is not what I asked for, and the time has come for states to recognize the fact that there is a movement going on that signals the fact that people are not happy with the course of American politics, particularly the current two party system. It is Independent thinking individuals—35 to 42 percent of registered voters, by the way—who have come to the conclusion that neither Democrats nor Republicans represent his or her convictions, and they should be acknowledged correctly by voting officials. We are represented by the organization, Committee for a Unified Independent Party, and I suggest that any of you who are, or are leaning independent, visit their site. There’s a wealth of information there, and you can sign up for e-mails that will keep you up to date on the issues. On another similar front, I want to congratulate the AARP (Amer. Assn. Retired Persons) members of the state of West Virginia over their outcry for their state to pass a bill to notify consumers when their sensitive information has been compromised. 40 states already have. In an AARP vote, 90 percent said notification should be a legal requirement, according to an article in the Charleston Daily Mail. But here’s the kicker: 70 percent said they “would be likely to vote for a candidate supporting such a measure.” So why haven’t we seen at least a nibble from any presidential candidate on the identity crisis issue? I have written Clinton and Obama and expressed my concerns over the problem. Clinton didn’t even answer; Obama ignored my question, but has called and e-mailed repeatedly for campaign support. I even talked to someone here in Phoenix who put me in touch with Obama’s Arizona campaign head. An e-mail to him was not answered. I can see why Clinton beat Obama in Arizona. And then along comes a mailing from Howard Dean; Howard apparently likes me since he sends me so much mail, considering the fact that I have not been a registered Democrat for over a year. It’s another survey, the kind of which I have posted on before that asks all the questions except the one many in this country are focused on right now. “Am I interested in Congress passing a meaningful law that will protect all of us from identity theft?” the number one consumer complaint for the seventh year in a row, reported by the Federal Trade Commission? The survey covered the economy, immigration, the Iraq war, all of which are major issues. But isn’t over 8 million consumer victims from ID thieves in one year at least worth one question? I think so, but apparently no one cares.

Saturday, February 16, 2008


It is obvious that junk mailers are worried about their authority over our names and personal data when a list broker writes an article with the headline: “Self-regulate or Die.” It was in Multichannel Merchant, an online division of industry magazine, Direct. The author visualizes “a world in which no transactional data can be rented or shared unless customers have given express written consent.” It’s a dream I have been having for over ten years. This guy also thinks that if you ask, the customer will rush to say yes…go right ahead and sell my name and private information. There may be a lot of apathy out there over this issue, but I have the sneaking suspicion that, with the current identity crisis—which our writer has apparently overlooked or ignored—the public would make the decision to hold on to their sensitive data. One major reason they should, is a statement made in the piece confirming one of my primary concerns about the junk mail business: “most direct marketers are not members of the DMA and are therefore not subject to its guidelines.” Simply put, they are subject to no industry regulation, and one of this group is a major catalog you probably receive regularly. Online shoppers are “fed up” with data breaches, and some aren’t taking it anymore. George Hulme writes in InformationWeek that the level of concern about their credit card privates is at 57 percent, and that in 2007 only two-thirds of adult Internet users were buying online, according to a University of Southern California Center for Digital Future study. That spells disaster for cyberspace commerce if something isn’t done immediately. Gartner Research finds some of those victimized at least alter their online payment behavior. Even while online, they are likely to pick up the phone to give payment details. In the recent Federal Trade Commission report on fraud and identity theft, there were 221,226 Internet-related fraud complaints in 2007 with an average loss to the victim of $2,730. Interestingly, only 2 percent of those complaints came from age 19 and under, 12 percent over 60. Those 40 to 49 were the largest single group at 24 percent, the rest spread pretty evenly. It’s bad enough that we have to guard against unwanted spam and phishing attacks, but if online retailers don’t get their security act together, much more of this valuable market will be shunned by the consumer. 2008 has already started with a bang; a hacker broke into a financial services company database located in Montana, stealing 226,000 names, addresses and Social Security numbers. By the way, they don’t do this just for fun anymore. I did a recent post on state notification laws that had some good information for looking into what a particular state has done to help alleviate this issue. Although I still feel it must be uniform, federal legislation—something we’re not likely to get with the incompetent U.S. Congress we’re stuck with—at least someone is trying. Forty of the states have passed something meaningful, but they all miss the mark of my concept awarding control to the consumer of their names and personal data. You can find another source of this information at CSO Online (it stands for chief security officer) which portrays the data in the form of a map you can click on by state to get information. Things like notification guidelines, penalty for failure to disclose, private right of action and exemptions. When you click on the flag over Washington, DC, you get pending federal legislation pertinent to data breach disclosure, which will probably not have changed when we look at the updated version of this map next year.

Friday, February 15, 2008


How often have you had a conversation with someone who made a skeptical statement followed by: “if you don’t believe me, ask so and so?” Well, if you have been somewhat dubious over my exclamations of what can happen to you in a case of identity theft, at least check this Federal Trade Commission site that documents how bad the problem was in 2007. Out of 813,899 fraud complaints to the FTC, 258,427, or 32 percent, were related to ID theft. Heisting your credit card number was the top method used at 23 percent, utilities fraud, 18 percent, and employment fraud, 13 percent. The total lost in 2007 was $1.2 billion, which breaks down to a median out-of-pocket loss to the victim of $349. The FTC received just under 140,000 more fraud complaints in 2007 over 2006. Statistics may be boring to most of us, but it is hard to overlook the kinds of numbers revealed by this latest FTC report on identity theft. You can see the complete 92 page report here. It contains all kinds of goodies like percentages of victims by age: 28% are between 18 and 19, followed by 23% 30 to 39, 19% 40 to 49, 13% 50 to 59, and 10% 60+. Los Angeles had the most complaints, followed by the Miami area, then Phoenix. Arizona is the top state for victims per 100,000 population. On page 13 of the report there is an array of methods of how the bad guys stole identities, from credit card fraud to Government documents or benefits fraud. They don’t miss much, and if you follow this blog regularly, you know they come up with new schemes on a frighteningly regular basis. The identity crisis is out of control, and, unfortunately, there doesn’t seem to be any chance its progress will be curbed any time soon by either business or government, both of which are the source of the problem. With the economy on a downward spiral, the U.S. Congress has put this issue on the back burner…way back. But the crooks are taking advantage of this situation, and stepping up their fraudulent activities. States are passing data breach notification bills—40 to date—but that is only a band-aid, an after effect. The damage is already done by then, and if you are one of the victims you could be on the road to financial ruin. There is a way. Would you be willing to take over the responsibility of your name and personal data, deciding where it may be used or sold? If the answer is no, read no further. If it is yes, join me in my grass-roots movement to give consumers control over their names and private information. Let me hear from you.

Thursday, February 14, 2008


In a December 2007 article from Multichannel Merchant by Denise Hopkins, she documents how data collectors can turn your innocent credit card purchase into a treasure trove of valuable information in the form of appending additional personal data. Hopkins is the vice president of marketing and product development for Experian Marketing Services, one of the top five consumer database companies, and top three credit bureaus in the country. The reason that it is important to spend this extra money to better identify you is that one-third of all consumer purchases are with credit cards, amounting to $40 out of each $100 spent. The Experian VP states that the customer is already aware of the company’s “brand,” with the implication that this makes building a profile of the individual OK. It is not! What it is is a sneak attack through the back door building a dossier on this person who has no inclination of what is going on. Although there is no mention of selling this information—in junk mail circles when you buy something from one of these companies, that usually translates into the right for them to sell your name and personal data—and that is the business of the Experian Marketing Services division. As a former list broker, I bought lists from them for years. You can, of course, opt out of the sale of your sensitive data but in Hopkins’ process, this is an afterthought. She even gives a blueprint of how to pull off the caper. You lift the information from the magnetic strip on the back of the card, which normally includes the card holder’s name and address. Then, proceed to the third party data service—which Experian provides—to append the extra juicy stuff like your age, income, occupation, education, home value, and the list goes on and on. They even know if you gamble, drink, smoke and have your medical ailments and prescriptions taken. Denise Hopkins may not have had any of the scenarios I have created here in mind. What I can assure you is that it is all possible—and with the junk mail industry committed to collecting and selling every morsel of private consumer information they can get their hands on—it is also likely. So you tell me. Is it chutzpas or arrogance? Or have junk mailers really convinced themselves that they own our names and personal data, and may do with them exactly as they please? I believe it is the latter. See more posts on Experian here, here and here.

Tuesday, February 12, 2008


The state of Indiana is trying to pass legislation requiring any company suffering a data breach to notify the state’s Attorney General’s office. According to a C/Net article, the big guns are out, including Microsoft, AT&T, and Verizon, “frantically” attempting to kill the bill. It would be the first instance of a state requiring this action by data breaching companies, providing for a central location to search by consumers, the media, and researchers. Lobbyists against the legislation claim that phishers could have a field day using a fraudulent AG site to which a victim would link to and give up private information. That is a possibility, and the Indiana AG should place a prominent warning on their site, in close proximity to the breach information, that they do not request personal data, and that ID thieves might contact them attempting the phishing technique. New Hampshire is already doing this as a policy of the AG’s office, but not required by law. Chris Soghoian, author of the C/Net article states that he was unable to confirm that phishing had occurred as a result of the NH reports. Paul Stephens of Privacy Rights Clearinghouse backs this up, dismissing the lobbyists’ claims stating that “we have not heard of anything of that nature. All of the information on our site is otherwise available elsewhere, we are just creating a handy compilation of information." However, sites like the one in Indiana will have minimal results unless the breaching company is required to notify the AG’s office immediately, meaning 24, 48 hours maximum. Otherwise, the fraud of identity theft could already be in the process considering that it has been proven that stolen private information hits the underground Internet in less than 24 hours. More grist for my concept that consumers should have control over their names and personal data. I did check a recent announcement on the NH site; the Young Womens Christian Assn. Retirement Fund had a breach on October 1, 2007. It wasn’t reported to the AG’s office until November 13. The damage, if any, was already done by then. There are currently 40 states with data breach notification laws. You can check your state here for more specifics, or if you don’t find it listed, ask your state representative why he or see isn’t concerned over the identity crisis. While state laws have had to take up the slack of an ineffective U.S. Congress on federal privacy legislation, in the long run it probably won’t work. In all fairness to business and government agencies, interpreting and initiating fifty separate laws to stay in compliance is ridiculous when it is obvious that the identity theft problem is a national issue, even international. We need a federal law that grants consumers control over their names and personal data, and in the same legislation compensate them when it is sold.

Monday, February 11, 2008


In an article by Andrew Burger in the E-Commerce Times (see Part 1, Part 2), and reported in TechnewsWorld, a senior researcher from security software firm, RSA, indicates the consumer is usually indemnified from the loss of their money in the banking and electronic commerce industries, but not the trauma of cleaning up the damage to their credit. In the latest report from Javelin Strategy and Research, the individual is still stuck with an average loss of 25 hours of their time, and the cost of attorney fees. One report on privacy sites the impact of identity theft being comparable to victims of violent crime. Burger quotes USA Today as reporting that personal ID theft more than tripled in 2007; Identity Theft Resource Center (ITRC) says the increase was four-fold. Some other facts in the article are the U.S. Secret Service’s estimate that the average identity theft case they closed from 2000 to 2006 was $31,000. In 2004, consumers could expect to recover 80 percent of the money lost, dropping to 54 percent in 2006. Also confirmed was the fact that loss of your Social Security number is still the most important factor in ID thieves stealing your identity. ITRC quotes some of the aftermath of experiencing an identity theft with effects including increased insurance and credit card fees, hard to find a job, higher interest rates, and the battle with collection agencies and credit card companies that refuse to honor your evidence of the crime. Another alert in this piece was a reminder that family members and friends commit over 40 percent of the fraud. And dumpster diving still accounts for a significant amount of your sensitive data ending up in the hands of the crooks, but the computers are the “enabling” technology that neatly ties it all together. In Part 2 of the article, there’s a startling revelation from The Wall Street Journal that in 2006, as the result of a data breach, the average company lost 12 percent of its stock price value. You would think that would move most to fix the situation, but, as stated above, incidents of the crime increased 400 percent in 2007 over the prior year. According to Randy Abrams of security firm, ESET, failing to encrypt stored data is “one of the most egregious errors” committed by business and government. In another interesting detail, in 2005, 20 percent of customers in the U.S. that suffered a data breach stopped doing business with the company responsible. Reason number two that business and government should have taken action in 2006 and 2007 to remedy the situation. Burger ends Part 2 with another statement from Abrams: "As long as personal information is a commodity that does not belong to the consumer, as is the case in the U.S. -- in stark contrast to some European countries -- identity theft will be facilitated. The nature of the ownership of personal information is an enabler of identity theft that is sanctioned by the U.S. government through antiprivacy legislation." Not sure about ownership, but the consumer should be given control over their names and personal data now, and they should be compensated when it is sold.

Saturday, February 09, 2008


Friday’s blog covered the major ingredients of the Sears program dubbed Sears Holding Community (SHC), aptly named because the customer gave them private information that the retailer shared with the community. They have since shut down this feature, but the damage was done, resulting in a class-action law suit against Sears. The company says it did right by its customers by giving them specifics on how their habits would be tracked, but non-profit group, StopBadware, said this was inadequate. In my reading of this incident, I can find no excuse for the fact that not only can the customer access his or her data on the site, but everyone in the neighborhood, actually in the whole country. That is a primary factor in filing the law suit. In an article from junk mail publication, DM News, Sears insists that they went to accurately describe the procedures of the program. Since the site was pulled, it is impossible to find out the particulars of whether or not this is true, but in the class-action case there is also mention of other potential harm to the SHC user. Hackers could access the system and initiate phishing scams using the Sears name to convince the customer to give up more personal data. If you are really interested in the law suit, there is a PDF copy here. Fortunately, we have people out there like law professor Ben Edelman and organizations like StopBadware to hold companies accountable for blunders like this. But if a business the size of Sears does not have the oversight to prevent incidents of this kind, there is only one method that will put a stop to future threats. Either Congress must pass legislation giving consumers control over their names and private information, or business and government must join together in an alliance that will accomplish this goal. Otherwise, in keeping with recent trends, we can expect more of the same.

Friday, February 08, 2008


Ken Magill, a columnist for junk mail publication, Direct, also a self-proclaimed drool-bucket moron, shoots off his big mouth again; this time about the Sears privacy issue over their ComScore software that powers the Sears Holdings Community (SHC). He labels our concerns over the loss of privacy as a “witch hunt.” The Sears customer was encouraged to join SHC, resulting in the downloading of software that tracks his or her habits, without the user knowing what’s going on unless…you read the fine print. Ben Edelman, asst. professor at the Harvard Business School and noted anti-spyware researcher, says in this incident “Sears falls short of Federal Trade Commission privacy standards.” according to In the same article, Edelman states: “Privacy statements are bunk and they need to change.” Edelman also joined the “My SHC Community,” walking us through the maze of procedures and the “Privacy Statement and User License Agreement,” a 2,971 word document in a small scroll box with only ten lines visible. Finally, on the tenth page does Sears mention that it “monitors all of the Internet behavior that occurs on the computer on which you install the application, including … filling a shopping basket, completing an application form, or checking your … personal financial or health information.” Although this may even be bordering on satisfying their legal obligation, it is unclear why Sears would bury it on page ten. Chief junk mail ranter Magill makes light of Edelman’s comment that “sophisticated” users would pick up the threat to their privacy and stop installation, but novices might proceed not understanding the potential hazards. What do drool-bucket morons know about sophistication? In a Washington Post article, the law firm of KamberEdelson filed a class-action suit against Sears in Cook County, Illinois, just before the retailer had taken down the most startling part of the ComScore software that allowed someone to create a free account and look up the purchase history of any customer. This is Privacy 101 and it is hard to understand how an organization the size of Sears would not have had the oversight to catch this before implementation. Attorneys can see a copy of the complaint here. KamberEdelson, by the way, is the same New York city based law firm that successfully sued Sony BMG Music Entertainment when millions of music CD’s were shipped with spyware. But the fact of what Sear did is not the real point of today’s post. Although the incident is important to understanding how irresponsible the business community can be with our personal data, the real culprit is the junk mail industry and its disdain for conceding that it is wrong in matters like this. Agreed, columnist Magill does not represent the attitude of all junk mailers, but from my 35 years as a list/data broker, he has a majority in his corner who are still convinced that they own your name and private information. More on this tomorrow with Sears’ reaction.

Wednesday, February 06, 2008


Although we may not have completely answered Wharton’s four questions from yesterday’s post, my conclusion that business and government have now moved on from serious concerns over consumer privacy due to the apathetic mood of the public is partial acknowledgment, but probably highly controversial to many. But if you think I am overreacting, why have we had 32 personal data breaches already in the month of January, 2008; the loss or theft of credit card and Social Security numbers in 2007 was at record levels; and consumers are so confused over the information they do receive they are rushing to pay for ID theft protection they should be receiving from the company or government agency collecting their private information? Returning to the Wharton study, there is comment on Google’s scanning of its Gmail service to determine what you have discussed, as well as to block viruses. This is “creepy” according to Casey Corr in Also mentioned is Microsoft’s new HealthVault service, with which I have had a direct connection. I signed up for HealthVault and asked the question: “What level of encryption does HealthVault utilize to prevent someone from breaching the database that holds my personal health records?” I finally received a vague answer from the customer service representative explaining the most secure systems available for first my sending of the data, then Microsoft’s handling of that data. Although he says he doesn’t know for sure, he is certain MS uses the “best the industry has to offer.” I don’t know about you, but that’s not good enough for me. Wharton marketing professor, Z. John Zhang talks about companies assembling the data in-house that they collect from you online to form profiles and lifestyle habits resulting in the creation of an aura of Big Brother. Zhang laments over our lack of concern losing a little privacy here and a little privacy there, which the consumers seems not to notice. But it all does add up and all of a sudden we’re looking at Orwell’s 1984. Back to Joseph Turow, director of the Information and Society Program at the Annenberg Public Policy Center (APPC) at the University of Pennsylvania, he thinks transparency in what information is collected and how it is used, although unlikely, is probably the answer. But no data collector is likely to do that since it scares the consumer, who would then opt out. But Turow finally hits on the right approach, one I have been advocating for the last three years in this blog. He says: “There is a hybrid approach where companies could have an 'opt-in only' policy and pay customers for information and insight.” An inducement, Zhang adds. Yes, the answer is to give consumers control over their names and personal data, and compensate them when it is sold. Why is it so hard for business and government to come to grips with this concept?

Tuesday, February 05, 2008

I subscribe to a newsletter from The Wharton School of the U. of Pennsylvania that covers a wide collection of subjects connected to the business world and what affects commerce. It is not specifically consumer oriented, but it often takes the viewpoint of the individual, as did an article in the Nov. 12, 2007 issue titled, “Who Owns You? Finding a Balance between Online Privacy and Targeted Advertising.” First off, the act of reading is slowly but surely progressing toward the Internet, which may not be bad if we insist on the same quality of content that we do in buying select books. I had a literary agent tell me recently that everything points to the Internet as the new path of communications, adding that it looks bleak for the book publishing business. Even as an avid Internet user, I cannot imagine a world without books, but then, maybe I’m old fashioned. The Wharton piece starts off by talking about the Facebook debacle where the popular website introduced a new program called Beacon, designed to track, among other things, a Facebook user’s web behavior which could be accessed by other Facebook customers. It is beyond me how seemingly intelligent employees at Facebook didn’t hear the alarm bells go off the minute they thought of this, must less after implementing it. The upside is the fact that many of the company’s complaints came from high school and college students, as well as young professionals that said…whoa! Facebook’s CEO, Mark Zuckerberg, thought he had dreamed up a new procedure to share products between users. What he failed to remember was that he should have gotten their permission. And that is basically the root of the problem when it comes to the collection of names and personal data. This was an experiment, as was the Intelius venture into creating a cell phone directory with 90 million cell phone numbers covered in yesterday’s post. Wharton had four very good questions re. this kind of experimentation: 1) Will it continue? 2) Are these incidents just a precursor of what’s to come? 3) Will consumers become hesitant to give up private information? 4) Is there really any privacy online? Joseph Turow, director of the Information and Society Program at the Annenberg Public Policy Center (APPC) at the University of Pennsylvania, explains that we are in the era of targeting customers which has created a post privacy stage in consumerism. Do you have any idea what the implications of this are? Data handlers have observed that the general public remains apathetic about the privacy of their names and personal data—the “apathetics” as I call them—so business and government have now moved up to a comfort level that allows them to dig deeper into consumers’ private lives. They want to predict your every move, and, while mostly innocent, this situation holds great promise for unethical business, and a potential gold mine for the identity thieves. My words. It wasn’t until there were a slew of complaints that Facebook changed to an opt-in policy for the Beacon program, with prior permission required before being included. More on the Wharton article in my next post.

If you are interested in subscribing to the Knowledge Wharton newsletter, click here.

Monday, February 04, 2008

WE’RE BACK! The hiatus was a little longer than anticipated, but it was necessary to complete some work on a highly specialized reference book addressing the problems of the identity theft issue in a completely different way than anything on the market. Plan to talk about this soon in a future post. Now, back to my commentaries on the regular abuses in the collecting and selling of your names and personal data.

Most of us consider our cell phone numbers completely private, except to those to whom we give it. The Federal Trade Commission backs us up, making it illegal for telemarketers to use automated dialing devices to call cell phone numbers, which most junk phone companies use to contact us. In my opinion, because of the high incidence of dropped calls, automatic dialing itself should be outlawed. And now there is a company by the name of Intelius Inc., providing an array of services from background checks to people searches, most recently a cell phone directory with 90 million mobile telephone numbers. But according to an MSNBC article, Intelius admitted the public wasn’t ready for a cell phone directory, and pulled the service off the market. Folks, it is time to draw a line on the privacy beach and say…no more. No sooner than a new technology is developed, the predators are there to exploit every facet of it. As an example, Intelius was charging $14.95 to look up subscriber names and cell phone numbers. But ultimately the crooks will have a field day turning your private information into a playground for stealing your identity. We’ve already experienced the e-mail scam that duped many into turning over their cell phone numbers, thinking the FTC was establishing a do-not-call registry. In response to this, a large number of cell phone companies got together and hired a company, Qsent, Inc.—since bought out by one of the big three credit agencies, TransUnion—to produce a wireless 411 service with the stipulation that customers must opt in to be in the directory. It would be available only to the 411 directory assistance service. A news release on the Qsent website starts, “In the future, a new Wireless 411 Service will provide…” so it appears that this idea too is in limbo. In addition to outcries from cell phone users and privacy advocates, Steve Zipperstein, VP and general counsel of Verizon told Intelius, “Stop it. This is a violation of Americans’ privacy. People expect their cell phone numbers to remain private.” But where was Steve when Verizon got involved in the NSA spying incident? And the worst is yet to come. Joseph Ridout of Consumer Action says there is one last example of Intelius’ unresponsiveness to the consumer. In order for the 90 million people to opt out of the company’s data collection scenario, you must make a copy of your driver’s license and mail or fax this to Intelius. This, of course, creates another database including your name, address and driver’s license number; all the ingredients necessary for the bad guys to steal your identity. Some companies never learn.