Search This Blog

Monday, March 31, 2008


Instead of stepping forward with ideas on how to help solve the identity crisis issue—which is due in part to the junk mail industry’s handling of names and personal data—the Direct Marketing Association (DMA) and the businesses it regulates are wailing over the fact that states, fifteen of them, have started to enact their own laws. Industry publication DM News had an article on this recently covering the launching of a “stop junk mail” campaign backed by ForestEthics, with support from Hollywood celebrities like Daryl Hannah and Adrian Grenier. I would urge readers to visit this site and look at their very interesting points about junk mail’s effect on the environment. Fifteen states have introduced eighteen bills that may or may not pass to law. The DMA says it will hurt both the junk mail industry and the U.S. Postal Service. My answer to this is junk mailers could have prevented this by policing themselves years ago, and the USPS will survive without junk mail. I did a post back in October of 2007, DIRECT MARKETING ASSN. (DMA) FIGHTS STATE “DO-NOT-MAIL” LAWS…AND I AGREE,” that I still feel is appropriate. In that I quoted John Greco, DMA president, as saying, “the environmentalists and privacy advocates ‘distort the facts in their efforts to eliminate advertising mail to consumers.’” This from an industry whose best hope is that two out of the one-hundred pieces of junk mail they send out doesn’t end up in the garbage dump. In a later post, "US POSTAL SERVICE SAYS “NO” TO DO-NOT-MAIL REGISTRY,” February of this year, I did a comparison with junk phone calls—which almost everyone hates—and its counterpart in the mailbox which is sometimes welcomed. But to receive it should be at the discretion of each individual recipient. The blanket do-not-mail laws stop all junk mail which is fair neither to the person who wants it nor the businesses who send it. The answer is to give consumers control over their names and private information, and compensate them when it is sold as an incentive to assume this responsibility. Another champion of junk mailers, Gene Del Polito, pres. Of the Assn. for Postal Commerce, says, “Their facts are wrong. A lot of what they argue is based on myth,” but doesn’t explain what he is referring to. He adds, “When you take away all of those arguments because you have been able to disprove them, the only thing you're left with is their complaint that advertising in the mail is annoying.” Exactly what arguments? And even more bizarre, “When the day comes [where] you (you being the consumer) will start paying to receive mail, then I will be willing to concede to you that you have some ability or authority to control what mail you receive.” In other words, it is the opinion from the head of yet another junk mail industry organization—in addition to the DMA—that consumers have no right to choice in what comes into their household. I do not believe the American public agrees with this, but until they let this be known, their names and personal data will be exploited around the world, and many will continue to suffer from identity theft.

Friday, March 28, 2008


I plan to bring this series on medical identity theft to an end today with the startling but not new fact that it can kill you. Dramatic? Yes. Overstated? No. I did a blog in April of 2007, “If Stealing Your Name and Personal Data Weren’t Enough…Medical ID Theft Increases.” It follows a fictitious person who goes to the emergency room, gets the blood type of the thief who stole the real person’s identity, because the crook had an appendectomy in the real person’s name. If that didn’t do him or her in, the real person is given a drug to which they are highly allergic. All because the bad guy’s medical files were merged with the real person’s. Health care providers had become more cautious over this potential mistake even then, and it has only become worse. Even Pam Dixon, executive director of the World Privacy Forum confirms: "People can die from this crime." Naturally, the organized crime element discovered there was a fortune to be made on medical identity theft IDs (selling for $50) as compared to financial identity theft (Social Security numbers going for $1). In some cases this results from the desperation of some 45 to 50 million Americans without health insurance. Here’s a great line from a article written by Amy Buttell Crane : “Financial identity theft might wound your wallet, but medical identity theft can kill you.” Bankrate is a leading provider of financial information and research, and you should read this article if you have the time. The basics: “Medical identity theft occurs when criminals obtain information such as a health insurance identification or Social Security number and use it to get health care or to obtain reimbursement from insurers and others for false claims.” Crane says the least of your problems will be the financial side of medical ID theft. Do you realize just how grave a statement this is when financial identity theft has been the leading consumer fraud for the last seven years, causing billions of dollars of damages to consumers, as well as business and government? Since the Health Insurance Portability and Accountability Act (HIPAA) is so full of loopholes, and the federal government isn’t even enforcing the provisions that might help victims, the medical consequences are made much worse, according to Crane. This could affect victims’ lifetime care insurance caps, and make it near impossible to get future medical, life, long-tern and supplemental insurance. And here’s the shocker: “a 2006 PriceWaterhouseCoopers study, "The Global State of Security," reveals that data security isn't a high priority at health care facilities in the United States and around the world.” But everyone doesn’t think the “identity crisis” is for real. Jim Harper, author of a book I wouldn’t recommend on the subject, thinks medical identity theft is a “marginal risk” along with things like being hit by lightning, or being involved in a terrorist attack. Crane quotes him further: "The definitions that are being used to compile these statistics are overbroad." In other words, don’t cry wolf until you’ve discovered you just received the wrong blood in a transfusion. Pam Dixon adds: "one person being victimized by medical identity theft is a problem and something we need to be concerned about." That seems to be the major problem with business and government today; unless the harm is done to the masses, they can live with it and expect us to, and that is why the poor consumer continues to suffer needlessly in the growing identity crisis.

The article closes with seven points the experts recommend to help prevent medical ID theft: 1) Demand to look at your medical records; 2) Shred all personal health-related documents; 3) Place all confidential mail in the box at the Post Office; 4) Protect your ID; 5) The law allows you to request restrictions on communications between your health care providers and third parties, but it isn’t backed by HIPAA; 6) Check any medical records you are able to access online; 7) If necessary, request private medical information communication by alternative means, to prevent something like changing your address.

Thursday, March 27, 2008


The article by Arian Eigen Heald, “’Medical’ Identity Theft – New (to me) and Scary,” explains her dilemma, but what is scary to me is that it is “new” to her, an expert in her field of computer technology. Heald has served as a systems engineer, network administrator, webmistress, and a number of other positions related to the Internet and computers for years. So, if medical identity theft is new to her, we have done one lousy job of getting this fraud before the public, even professionals. And that is the answer and the reason for this series of posts on the subject. Part 3, yesterday, covered a couple of bizarre incidents in Florida where millions of dollars were stolen by crooks. We closed by covering an article voicing privacy advocates’ concerns over the latest rush to build personal health record (PHR) databases by Microsoft and Google, and my promise to illustrate how we might make this all work. See Part 1, Part 2. Picking up again on the Washington Post article quoted from yesterday, Deborah Peel, a Texas psychiatrist and founder of the non-profit, Patient Privacy Rights, “wants Americans to retain exclusive control over their medical records.” Now there is an idea I can get behind 100 percent. Although Microsoft has said they won’t, Peel thinks that the information given to the PHRs would be shared with data mining companies, and could end up being sold to insurance companies and on the open list market. And she is exactly right, based on my 35 years as a list/data broker and database consultant. In addition, PHRs are not covered by the Health Insurance Portability and Accountability Act (HIPAA). The excitement over public health record databases by the MSs and Googles is beginning to sound like the frenzy in the junk mail list business years ago when they first realized they had personal consumer data to sell like your telephone number and date of birth. This has escalated today into humongous databases with private information on millions of Americans, including up to 250 personal identification characteristics about each individual. The leaders are ChoicePoint, Acxiom, Experian, Equifax and TransUnion, the latter three also being credit bureaus. Sidney Wolfe, director of Public Citizen’s Health Research Group says that no matter how secure the PHRs think they are, it only takes one insider to steal the information and sell it to insurers or employers. It seems that, since the identity crisis was officially put in motion in early 2005 by the ChoicePoint breach, before we can solve one problem—like financial identity theft—another hot potato surfaces…like medical ID theft. Business, government and the Congress have been skirting the issue since it became apparent this crime was not only here to stay, but seems to get worse every year. In three years of blogging on The Dunning Letter, I have held to one concept that I feel sure will solve the identity theft dilemma. Give consumers control over their names and personal data, and compensate them when it is sold as an extra incentive to take over this responsibility. Deborah Peel is a force behind this philosophy in relation to medical data, and it is time the general public got behind the both of us.

Wednesday, March 26, 2008


Earlier posts on this subject, Part 1, Part 2, point out how medical identity theft has been developing over time, and how it has begun to escalate recently since the bad guys have realized the return can be much better than its counterpart on the financial side. As an example, a medical identification number brings $50 on the street as compared to your Social Security number which is worth about $1 today. According to the World Privacy Forum in an article by Jim McKay, medical ID theft accounts for 2.7 percent to 3.2 percent of total ID theft. It takes two forms: 1) using a stolen physician’s identification number to bill for services sometimes not rendered; 2) doing the same with the patient’s ID, which can be tragic in its consequences if you are the victim and later treated for someone else’s illness. Of the $60 billion attributed to health-care fraud, $600 million is caused by medical ID theft. And, unfortunately, there is no where to turn based on the loosely written Health Insurance Portability and Accountability Act (HIPAA). So the scams are beginning to escalate, like a clerk at a medical clinic in Florida who stole and sold 1,100 patient IDs resulting in fraudulent Medicare billing of $2.8 million. Or a ring of 38 people, in Florida again, who bilked Medicare out of $142 million. Not only is HIPAA no help, sometimes it even blocks attempts for consumers to correct their medical records. HIPAA policy says that “if incorrect information leads to inappropriate treatment, the correct information must remain to preserve a paper trail.” That is bureaucracy at its best, or worst if you are the victim. McKay says the World Privacy Forum “advocates a National Health Information Network that would be established using comprehensive risk assessments that prevent medical identity theft while protecting privacy, and more mechanisms for individuals to correct errors in their medical histories, as well as notification of medical data breaches to consumers.” I am not against the concept but I think anyone in the privacy field is running scared that what might be created is another database monster—this time with our most personal data—that will be vulnerable to identity thieves. In a Washington Post piece by Michael Gerber, he is once again talking about the Microsoft and Google personal health record databases, pointing out that many privacy advocates are warning the public to be cautious, especially if the PHR is offered through a health insurance company. This may be sold as a service to policy-holders, but my guess is that it is one more way to get your private information, in some cases with the possibility of causing problems with your coverage or claims. In today’s business and government environment, we are constantly bombarded with requests for more information on our private lives, data that becomes a permanent part of some company’s or agency’s database. We are assured by privacy policies that the collector will secure our sensitive data, and the next thing we find out is that this information has been breached. The question is just where is the balance that can make all this work? We’ll get to that next.

Tuesday, March 25, 2008


As I posted yesterday’s blog on Medical Identity theft Part 1, a story was developing at the Washington Post on another medical breach, small but significant. The National Institute of Health has several studies going on that involve clinical data that is highly personal. This particular one included participants’ names, birth dates, medical diagnoses, and seven year details of patients’ heart scans. There were 2,500 people involved, and right now all this private information is on the street where it could prove fodder for the ID thieves, or something equally as bad. It could also be used to deny insurance or employment. The WP article reports that the data was not encrypted, which was a violation of the government’s data-security policy. What’s worse, the person from whom the laptop was stolen—out of the trunk of his car, by the way—was Andrew Arai, a National Heart, Lung and Blood Institute laboratory chief who oversees NIH’s research program on cardiac magnetic resonance imaging. We’re not talking some intern who either hasn’t gotten the word or who doesn’t care about someone else’s personal data. We’re talking the guy who is head of the program of the data that was lost. He had taken his daughter to a swim meet, and someone just popped the trunk and made off with the laptop. Since he’s guilty of two strikes: one, he left the computer in the trunk of his car unattended, and two, he failed to encrypt the data, on the third strike he should be out. That would occur when one of the participant’s private information is used to victimize them. The NIH said “identity fraud not likely.” Elizabeth Nabel, director of the National Heart, Lung and Blood Institute, which is a part of the NIH study, said: “since the NIH incident, ‘we are ensuring" that all the institute's laptop computers are encrypted and that staff members will be required to take regular computer security training.’ She also said ‘patient names, other identifying information, or identifiable medical information’ will no longer be stored on laptop computers.” Forgive me, but how many times have we heard this crap? I believe we should hold accountable the people who actually commit the breaches, while working our way up the ladder to the top individual in charge. It has to start at the top, like with Andrew Arai, to be effective enough to get to the underlings down the chain of command. And somewhere along the line, we have to stop and say, “enough is enough,” and start charging those that don’t comply. The government is responsible for almost 20 percent of all data breaches, and apparently there is no end in sight to stop the momentum. Even with a data-security policy in place, the breaches continue to happen. It would be interesting to find out what action—if any—is taken against government employees that violate the data-security policy. I will try to answer this in a future post. Finally, there is no way to determine the purpose of the crook stealing the laptop, but considering the fact that you can buy a new one today for less than $500, you have to think that a majority of these thefts might be to steal your personal data. More coming on this subject.

Monday, March 24, 2008


On February 27 of this year I posted on the new trend of health data collection, "Warning Out on Health Data Storage Sites,” which commented on Microsoft’s Health Vault, already up and running, and a Google version we should be seeing soon. There are mixed emotiions about this new concept of databases; on the negative side by privacy advocates, but on the positive side, it could save lives. It could also kill you, as expressed in a World Privacy Forum report that we will get to in a later post on this subject. But today I want to concentrate on what’s being done about the problem that is said to be much more destructive than financial identity theft: medical identity theft which represents close to 15 percent of all personal data breaches. In a recent article on Yahoo Finance, pharmaceutical company, Amgen, is being sued for lost pay by two sales representatives because they refused to go along with a scheme for them to search doctors’ confidential patient medical records. They were allegedly supposed to look for potential patients to push Amgen’s new drug, Enbrel, to treat psoriasis. Legal experts say this violates federal patient privacy law – Health Insurance Portability and Accountability Act (HIPAA). The Amgen sales reps. were supposedly instructed to ask doctors if they could go through files to identify the patients they were looking for. Does that mean some doctor’s—or maybe several—allow this practice? I’m asking my docors now, and suggest that you also question yours. Haven’t these people already heard enough horror stories from HIPAA violations? If the docs do allow it, they too are guilty of disregarding HIPAA. And then there were the hospital breaches of George Clooney’s and Britney Spears’ private records, reported by the New Hampshire Union Leader, and SC Magazine . I don’t care if it is celebrity curiosity, it clearly shows how lax the security was at both hospitals. As usual, California leads the way when it comes to the privacy of its residents. On January 1, 2008, the Golden State expanded the data notification law to include medical information and insurance data. Read more here. The law requires businesses or persons conducting business in the state with personal information on individuals to disclose any breach of their system, and disclose it “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.” The three main parts of the law’s expansion are: 1) included now are medical and health insurance information; 2) it also applies to companies like Microsoft’s Health Vault and Google’s similar program; 3) in their freeze law, public records are no longer covered. It was this law, California S.B. 1386, that exposed ChoicePoint’s breach back in early 2005, actually the breach that started business, government agencies, and Congress to think about the identity crisis. Unfortunately for many in business and government, and all of both the senate and House of Representatives, that’s as far as it has gone. As of March 22, 2008, There have been 829 breaches of personal data, exposing 223,142,082 private consumer records in just over three years, according to the Privacy Rights Clearinghouse chronology.

Saturday, March 22, 2008


To complain about identity theft or not to complain. You’d think there was a clear answer here that, YES, as a victim I want to register my complaint with the Federal Trade Commission to help catch the ID thieves, and hopefully stop them from committing this fraud again. But Alexis Moore in her blog doesn’t agree. Because it takes up to an hour, and because she believes “the consumer receives nothing in return,” she would not do it again, even though she was a victim. The statistic alone is extremely important in that the FTC publishes reports on this criminal activity regularly to convince business and government to improve security for Americans’ sensitive data. That information also serves as guidelines to law enforcement on how to prioritize efforts to help solve the crimes. I’m the first to admit that ID theft, although it is the number one fraud against consumers, does not get the attention from business and government that it should. And Alexis is right about the need for legislation to help solve this issue, and that should be at the federal level. Unfortunately, we won’t see that in an election year, so please be a responsible citizen and report any victimization that happens to you at the FTC ID Theft Complaint Input Form. How to respond to a data breach disclosure letter. This is an area that has been neglected, but, a magazine devoted to data security, has come up with 5 steps of advice you should listen to if you have received a breach disclosure. These suggestions come from noted authorities on this issue: Larry Ponemon, founder, Ponemon Research Institute, and Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse. First, after carefully reading the letter, search the Internet for more info on your particular case. You want to know everything you can about what was compromised, and if it was a result of negligence or theft. Second, monitor all your accounts as soon as possible, particularly your credit cards where the highest likelihood of fraud will occur. Third, if your social security number was stolen, or compromised, you must notify all three credit bureaus immediately. Four, consider a reputable credit monitoring service, and don’t forget you are eligible for a free credit report from each of the three credit bureaus once each year. Five, you will need to file a report with the police if you are the victim of identity theft, not just credit card fraud where you would notify the card’s issuer. Speaking of data breach disclosures, TJ Maxx and Marshalls stores are sending notices to millions of customers who might have experienced compromised credit card numbers. This includes vouchers and credit monitoring resulting from a proposed settlement with the parent company, TJX, according to an MSNBC article. The data hit the fan at TJX in January of 2007 when it was discovered hackers had been accessing their corporate system and stealing credit and debit card numbers for at least 18 months. In the end, it was learned around 94 million credit records were affected. TJX has done a very poor public relations job of handling the incident, and even refused for two months in the beginning to reveal the size and scope of the breach. A class-action lawsuit in a Boston federal court sort of nudged TJX into action, with their agreement to issue the vouchers and provide three years of credit monitoring. TJX even offered to hold a “Customer Appreciation” sale, something they should have thought about when they failed to secure all this personal data.

Friday, March 21, 2008


The “For Sale” signs are out everywhere, and in many cases they have been there for a long time. Many will continue to sit in front of homes that have been impacted by the downturn of housing and mortgage money available. If you are a regular reader of The Dunning Letter, you know that I consider mortgage offices one of the largest depositories of consumer personal data in the country. They are often the most insecure with file cabinets stuffed with your name/address, Social Security number, date of birth, and the list goes on. Even if the records are computerized, I doubt seriously that this industry has advanced any further—if that far—than large corporations like TJX (TJ Maxx, Marshalls), where close to 94 million credit card number were breached in early 2007. On March 13 of this year, I did a post based on the housing market meltdown, and how some of these bankrupt mortgage companies were dumping clients’ private information in the trash, without shredding. The fact that most of these records were still on paper indicates the level of technology accomplished by this industry. It also points out the lack of consideration some company managers and employees have for their customers’ personal data. Some mortgage companies keep your records long after the loan is refinanced or paid off. Like Joan Carpenter of Toms River, NJ, whose Countrywide loan was paid off, yet the mortgage company retained all her records and an employee ended up disclosing them. What was worse, it took her almost 6 months to be notified, according to a article. It is bad enough to lose the private information, but many companies like this increase the victim’s liability by delays in notification. On a similar level, there are thousands of real estate offices in the U.S. A recent article in quotes some ID theft statistics and comments from a real estate industry “visionary” by the name of Stefan Swanepoel that leads me to believe that the security of customers’ private information has not been one of the top priorities of this industry. Swanepoel said: “the protection of a customer’s data has always been important, but it was largely taken for granted prior to the Internet.” He continues, “With the advent of computers and the Internet, data on any given real estate transaction is now stored in multiple databases and computers, transaction management systems, Internet websites as well as paper files. “ Stanpoel offers seven suggestions on how to secure personal data, and the first tells us that many real estate offices do retain Social Security and credit card numbers along with your name/address, etc. This is where you find your dream home that you eventually go to the mortgage company to finance, once again giving up all that private information. In many cases this is unavoidable so why not go ahead now and do what will solve the problem. Give consumers control over their names and personal data.

Thursday, March 20, 2008


Once again the question has arisen of when harm has been done in a data breach. To prep you on just how serious this issue is nationally, Privacy Rights clearinghouse released the 2007 Javelin Research and strategy Survey that provides foundation for our concern. There were 8.4 million victims suffering a total loss of $49.3 billion (that’s around $5,720 per victim) spending 25 hours to clean up someone else’s mess. If that isn’t enough, the Federal Trade Commission reports identity theft as the top complaint at 32 percent in their 2008 Release on Consumer Fraud and ID Theft. From the FTC complaints, they are projecting fraud loss at $1.2 billion. Needlessly to say, it is a big problem. In a article by Jay Cline, the U.S. courts fall behind other countries in recognizing that data breaches do in fact harm people. My opinion is that the U.S. should get together with the European Union—whose protection of consumer privacy is way ahead of this country—as well as other countries where consumer personal data is outsourced, and figure out how to draw up a standard policy of data security. In the Computerworld piece, Cline interviews a law professor from the U. of Pennsylvania who says “The assault to personality and feelings is the quintessential privacy injury.” Now, I don’t even think I would go that far. Fellow blogger William Morriss, who is also an attorney specializing in consumer privacy law, says: “That rationale just doesn't work for me.” Continuing, he makes the point that human emotions are “notoriously” hard to quantify in a court of law. And yet another observation that is so true, “that most people place little to no value on the privacy of their personal information.” Pathetic, but that’s the real world. Morriss has a better option, which is to hold business responsible for quantifiable damages caused by a breach of their own making, even if it doesn’t result in ID theft. Cost of the individual’s time and the cost of protection services should be recoverable. Consumers should not be hung out to dry when a company gives up their private information, particularly when it is a result of negligence. My approach to solving the identity crisis would be to put the consumer in charge of their name and personal data. At the same time, compensate the individual when this private information is sold to give them the incentive to take control over their sensitive data. This would require either a coalition between business and government to implement the program—not likely in today's environment—or pass federal legislation that would grant this control. I have even entertained the idea of approaching states individually, but that would be a genuine nightmare for both business and government. But somehow this dilemma must be solved, and it must happen soon. How many more billions of dollars must go down the drain before we come up with the right answer to the identity crisis?

Wednesday, March 19, 2008


Of all the information available on The Dunning Letter that readers could search for, problems with the Experian Credit Bureau—particularly not being able to file a dispute or not being able to even contact the company—top the list. And this doesn’t even include general searches like “credit bureau dispute.” This has been going on since I posted on the fact that my Experian credit report—a report I paid $90 yearly to access—vanished from the system and didn’t return for two months. No explanation, zilch. Links to four posts: one, two, three, four. This all happened mysteriously after I had done some posts on Experian in my blog with unfavorable comments. Not that this was the reason, but, as they say, very coincidental. In addition, there were heated comments to the post links, above, from readers that seemed to be at the end of their rope and ready to pounce on the next person that got in their way. All because of a lack of response from Experian to real problems experienced by these consumers. Based on these experiences, and because does such a good job of documenting complaints against the three credit bureaus, I have decided to post regularly on the latest updates, bringing you the current status on problems with these agencies. In future articles I will also report on how consumers are dealing with this dilemma, and link to authoritative sites that provide advice on how to deal with any situation where credit bureaus balk at responding and/or legally following up on complaints. In this first post, Experian will be featured, but the other two credit bureaus, Equifax and TransUnion, will be covered at a later date. Now to the horror stories. There have been 12 of these since the beginning of 2008, all documented on Experian Complaints. New Jersey man reports Experian’s refusal to provide free credit reports, after insurance company breached personal data. Bank account frozen due to opening of bogus accounts. New York disabled person puts daughter on credit card account. E transferred his HSBC debt (financial institution with most FTC complaints) to her name and refuses to correct. E would not communicate. Man contacted state Attorney General and got results. Texas disputed inaccurate item, and when E refused to remove, he threatened to sue. He was blocked from credit report, suffered rude treatment. A Chapter 7 bankruptcy wrongfully ends up on Florida’s credit causing score to drop 100 points. E will not respond, cannot get a human on phone. Lost a mortgage on his first home. California received a letter from E stating “someone” had requested change in couple’s names/address and Social Security numbers, but would offer no additional info. After providing copies of passports, driver’s licenses, mortgage statement, and pay stubs, E wanted more identification. Filed complaint with Michigan sent letter with documentation to dispute negative items to E’s president, Kerry Williams, who refused to investigate. Tennessee is in a two year battle with E over credit report problems. Equifax and TransUnion made necessary changes requested, but E continues to be a “nightmare.” To contact Experian, here is the address and telephone number: Experian, P.O. Box 2002, Allen, TX 75013, 1 888 397 3742. If you have the same problems as others have reported, above, I suggest you file complaints with your state attorney general, the FTC, and Good luck!

Tuesday, March 18, 2008


If you don’t yet feel the need to control your name and personal data, the latest evaluation of the potential shape of the digital universe may make you rethink your position. To begin with, in 2007 we created more digital information than could be stored for the first time ever. In an MSNBC article, Suzanne Choney tells us about a report from research firm IDC that should serve as a wake-up call to individuals who, as a group, generate 70 percent of this digital universe. We are being inundated by “ever-higher megapixel cameras, iPods with large hard drives and jumbo video files posted on YouTube,” according to Choney. The report was developed for the business world, but the consumer shares a big part in the dilemma by using technology that requires huge databank storage. IDC indicates that the digital universe in 2007 was equal to 281 billion gigabytes of data, about 45 gigs for each person on earth. That represents a 74.5 percent increase in just one year. They also add that it will be ten times bigger in five years. It would be ridiculous for us to think this kind of increase would plateau any time soon, considering the pace of current technology. As an example, a DVD movie requires 6 gigabytes of recording space. The digital growth is coming from a number of sources like social networking and large search engines like Google and Yahoo that regularly come up with new programs that need additional digital capacity. If you want to see the complete report, click here. There are at least two problems with which I am concerned about facing future expansion in this area: One is an environmental issue; Second, there is the potential of marginalizing security in the process. Unless someone comes up with the ultimate power-saver real quick—and so far this is only a topic of discussion according to IDC—consumption could double as new datacenters are built. To accomplish this it will be necessary to generate additional power sources to fill the need, and that could adversely impact the environment. Just as alarming is the pace necessary to maintain this development of increased digital capacity, which will no doubt outrun our ability to secure all this new data. We can’t even secure private information held now at the current rate of growth. In the junk mail industry—which is not regulated as to how long they are allowed to maintain our sensitive data like the pressure recently put on Internet search engines to limit this to 18 months—keeps every iota of your private information forever. In order to store more data, you buy more capacity, but at the same time you have to exert more security. My concern is that business and government will spend to accommodate the increased volume, but not to keep up with the additional safeguards necessary. Adding more confirmation to the fact that consumers should be granted control over their names and personal data, and it should be done now.

Monday, March 17, 2008


Based on new research by Positive Networks, a Kansas company dealing in security products and services, 20 percent of all corporate networks or databanks have been broken into because their security is not adequate. On the other hand, hackers are finding new ways to break into the remaining 80 percent. First, Reuters news service has a good piece that quotes the findings from about 300 Information & Technology Professionals who believe their current authentication methods, such as username/password, are not satisfactory. 93 percent of the respondents were seriously concerned over their company’s protection of data and network security. A large majority of IT professionals do seem to rate the safety of their databanks as a high priority, many indicating improvements over prior years. So why haven’t we seen these improvements reflected in the marketplace where data breaches are still rampant? There have been 60 personal data breaches since the first of the year, as reported by Privacy Rights Clearinghouse. One was a First Magnus Mortgage Loan office in Ft. Lauderdale, Florida that dumped customer files containing Social Security and credit card numbers along with names and addresses, into a garbage container. I mention Magnus because they just went bankrupt and there is a trend across the country for former mortgage lenders to relegate consumers’ sensitive information to the trash heap without shredding it first. One in five of the IT pros had experienced identity theft personally, so you would think they would be screaming their heads off to the company CEO to at least insure that the employee data is secure. That’s probably what the 5,000 MTV Network personnel are saying after their names/addresses, birth dates and Social Security numbers were compromised on March 8. But maybe it won’t make any difference since the latest approach used by hackers is to simply freeze the computer’s encrypted hard drive which causes it to retain data in the memory for hours after the machine is turned off. Of course this must be an inside job, since the crook has to have physical access, but then employees do account for a certain number of data breaches. Princeton University conducted the research on this latest scam to steal our private information, and cautioned that stolen laptops could be a primary target, because cooled DRAM chips can retain their contents for some time after shutting down. The data from the frozen drive includes keys that will unlock the encryption. There seems to be no end to the lengths the identity thieves will go to confiscate our personal data, and as the underground black market for this information continues to grow—which it most certainly will—there remains only one answer to the problem. Grant consumers control over their names and private information and like one of the hucksters for paid ID theft protection does, you can give your Social Security number to anyone and it won’t result in the loss of your identity. Well maybe that’s overdoing it, but you get the idea.

Friday, March 14, 2008


If U.S. marketers have their way, Big Brother will spring to life every time you use your cell phone, or even as it lays dormant in your pocket or purse. In addition to knowing who you are talking to, what you are looking at on the Internet, or what music you are listening to, they know where you are. Yes, they can target your location based on what tower your signal is being transmitted through, merrily following you along as you move from one cell phone tower to another. The towers are, of course, the way they accommodate the transmission and receipt of your calls and other services you use. An Associated Press article on MSNBC, “Marketers target cell phones,” by Anick Jesdanun is a reminder of George Orwell’s 1984, and how the Thought Police maintained surveillance over the citizens of Oceania. Most people keep their cell phones with them at all times, so business might have just discovered a tracking device even better than RFID (radio frequency ID) chips that merchants had hoped to place in merchandise that could also document consumer movements. According to Jesdanun, cell phone carriers are now “guarding the data zealously,” but many think Big Brother will arrive in a year or two, swooping down to watch every move you make. Here’s a scenario: you Googled for pizza places a couple of times on your cell phone, and one afternoon around dinner time you are passing a pizza parlor, and your phone rings to alert you of the fact. That’s not even far-fetched. The following may be. You’re an unfaithful husband having an affair, and your wife is able to follow where you are going with a mapping program, finding that you end up at the apartment of your new love interest. It would be possible based on current technology. The AP article has several such illustrations of potential breaches of our privacy, and with the private information in cell phone company databases that could be used to spy on customers, the possibilities are almost unlimited. Any program of this nature should be 100 percent opt-in by the customer, and even then, Internet search habits should not be kept over 30 days by the carrier. Jesdanun thinks that combining location data with purchase history could be likely for the future. Unless the cell phone companies have underachievers in their IT department—and I doubt that seriously—this data is already being matched with the rest of the customer’s record. Not that this is directly connected, but four of the top wireless companies, AT&T/Cingular, Sprint/Nextel, Verizon and TMobile have some of the highes consumer complaint rates with the Federal Trade Commission, based on a recent study by Chris Hofnagle, Senior Staff Attorney at the Berkeley Center for Law & Technology. You might ask just what is the connection? My answer is if the auto insurance companies can evaluate my driving habits by looking at my credit report, I can evaluate cell phone companies by looking at how they service their customers.

Thursday, March 13, 2008


But in this case the victim’s are asking not only how they got their name, but also how did they get their credit card number. The latest scam seems to be mysterious charges showing up on bank credit card accounts which range from $9.70 to $9.85. It happened to Dimiter Todorov from Nebraska, according to KETV Omaha, but the charge is also appearing on bank statements across the country. The TV station says the Internet is “littered with hundreds of reports of complaints,” and when I Googled “ICH Services’ complaints” there were 49,700 hits. First National Bank Second Vice President Clint Sporhase indicated the Todorovs’ was their first complaint received, and they are backtracking to learn the source of the charge. Sporhase also said that mysterious charges like this usually are a result of consumers giving up their private information to Web sites with which they are not familiar. Now, they are in my territory, and the primary purpose of this post. Even if you know the site, you still look for the “lock” or the “https” at a minimum. Take the time to thoroughly research whoever you are about to give your sensitive data to, and in many cases you will decide not to give it up just because it looks “iffy.” For the life of me I cannot understand with all the attention to identity theft in the media, along with perpetual warnings of potential ID fraud coming from privacy organizations and government agencies, how there is anyone left on the planet that doesn’t understand this urgency. But like in the Navy, there’s always the 2 percent who don’t get the word. The office manager of one of my favorite doctors, who is also a personal friend, asked me for my Social Security number this week, after the doc formed his own practice. I explained why I didn’t do this, and she understood completely. You just have to exert your rights as a consumer who wants to keep their identity and private information secure. has an interesting approach to the ICH scam, along with a stat that credit card fraud costs the public an average of $500 million a year. It seems their victim was issued a credit card they did not ask for and later received a bill with bogus charges of $350. When trying to call the credit card company whose representative appeared to be in India, and after refusing to give that person their Social Security number, the person hung up, and the number did not answer with a call back. In yet another version of this story from, an independent news organization, they indicate that there was a reported incident of ICH Services fraud in November of 2007. In the report they follow the victim through their attempt to find out what happened, and we find out that even then there were 100s of these mysterious charges by ICH Services. Of course the moral of this story is not to give out your personal data to anyone unless required to by law, or only for transactions like applying for a mortgage that require certain sensitive information. Even then, know exactly who you are dealing with. It’s your identity and your life, and when you lose this it’s a disaster that will stay with you for years.

Wednesday, March 12, 2008


A majority of Americans want something done to protect their sensitive data (54% indicate their desire for Congress to pass legislation for this reason), and 52% of you have “very little” or “no confidence at all” that business uses your private information properly. A Harris Poll found that 35% of the population has “very high privacy concerns,” 79% feel it is extremely important that the personal data collected is controlled, and 32% placed their personal privacy above investigating possible terrorist threats. A frightening one-third of consumers admit they don’t know what to do in the case of identity theft. So why don’t we see headlines in the news trumpeting the fact that there is consumer retaliation against business and government for losing our personal data? Something like the MSNBC article from Business Week, “Customer backlash against bad service,” which discloses the lousy service that has been building for some time, and the fact that in 2007, “consumers finally dropped the hammer.” Bad customer service is irritating. ID theft can be devastating. Jena McGregor, author of the piece, says a certain degree of extremism is popping up, which translates into doing what is necessary to get results. Hey, I’m all for improving the kind of service we get from people in business and government that are put there to perform this function, and in many cases this will have to start at the top and work itself down. But I would also like to see people raise hell because some moron took a laptop home loaded with his company’s or federal agency’s data that includes yours and my private information, and it ends up being stolen. In the MSNBC article, one guy posted his complaint on the blog, ComcastMustDie, about the cable and Internet provider’s poor service. Someone should have started a blog back in early 2007 that read, “TJXMustPay,” about the 94 million personal credit card numbers lost by the parent of TJ Maxx and Marshalls stores. The major reactions by consumers to the identity crisis so far is a flood of people signing up for paid ID theft protection that they could do on their own, and an increasing number of folks (50,000 to 70,000) putting freezes on their credit reports, also costly. See more on freezes in the blog, I’ve Been Mugged. These are the result of scare tactics used by the companies providing the protection, and credit bureaus that initiate the freezes. The right consumer attitude is to take responsibility for this important area by demanding control over your name and personal data. In the statistic, above, 79% of you feel it is extremely important that the personal data collected on you is controlled. There is no one better than yourself to do that.

Tuesday, March 11, 2008


In September of 2007, I did a post on how companies schlep your name and personal data around the world. One of the most precarious locations was felt to be mortgage offices where you must lay out your entire life history to get financing for a home. My reasoning was that all that private information lying around in file cabinets was extremely vulnerable to potential break-ins by the bad guys, and could prove too irresistible to insiders. I was right about the lax security but wrong about how your sensitive data would be compromised. No one broke into the office to steal your information or even accessed it online, and employees did not steal it. They took the simple approach and dumped it into the trash. According to an MSNBC article, “Bankrupt lenders throwing away your privacy,” Floridians who had applied with industry giant, Magnus, found out their loan documents, still on paper, were in boxes in an unlocked dumpster in Fort Lauderdale. Magnus—a company we once considered doing business with—touted their technological advancements in computerization which turned out to be false because most records were still on paper. And, they didn’t even have the consideration to properly dispose of these customer records when the company went belly-up. The MSNBC piece indicates that this isn’t an isolated incident, so you should check your lender to be sure. Here’s a list from The Mortgage Lender Implode-O-Meter that seems to be up to date, but I cannot verify its accuracy. It is the only documentation like this that comes up on the first few pages of a Google search. All these mortgage applications must include your Social Security number, and also require date of birth, various financial data like bank account and credit card numbers, and of course your name and address. Bingo for the identity thieves. Another company, Alpha Mortgage Services of Toledo, OH was apparently at least environmentally concerned when throwing the complete records of hundreds of former customers in the recycle bin behind a grocery store. The Fair and Accurate Credit transactions Act (FACTA) requires disposal of these documents in a way to protect the individual’s information, but, as usual, the Act doesn’t go far enough. FACTA doesn’t actually require physical destruction of data. Our government at work. As usual, the Federal Trade Commission (FTC) is no help. The FTC has brought only one case after its rules advising the burning, pulverizing or shredding of personal documents went into effect in 2005. It’s like the bureaucracy doesn’t understand the importance of protecting this information, and, when they find out, don’t have the slightest idea of what to do. Since it takes forever for the word to get around, and the fact that the housing mortgage crisis seems to be worsening every day, we can probably expect more of the same in coming months. Each time a new catastrophe like this pops up, it reinforces my concept that consumers should have control over their names and personal data. If that were the case, none of this would matter, except to realize how dumb some of the people who control our private information can be.

Monday, March 10, 2008


Probably no surprise to most technology experts, but certainly in tune with the predicament business and government have gotten us into based on the handling of our sensitive data. And, by the way, made worse by the apathy of the American public that identity theft probably won’t happen to them. You’ll notice I use the word “probably” now because there is an undercurrent of concern recently, as evidenced by consumers rushing to sign up for paid ID theft prevention they could do themselves for free. Last Friday my post was about how individuals have lost control over their names and private information, which quoted from an article on data loss prevention. One comment in the Friday post makes the case for my opening sentence, above. A database security company V.P., supposedly someone on top of the identity dilemma, said in effect that data collectors have just realized the problem, and they are still looking for your private information they hold to determine how to protect it. Pathetic! That said, what can we expect the bad guys to do in the future? Stephanie Hoffman, in her article in the above link, thinks we have to worry about a resurgence of the Storm Worm, a malicious program that spreads throughout computer systems with ease and complete secrecy. With personal information databases their target—where there is a treasure trove of our credit card and Social Security numbers available—the new attacks will be on smaller, “second-tier” businesses in 2008, according to security experts. And it’s a good bet that junk mail companies, particularly those with catalogs, will be the new bull’s-eye, considering their gold mine of credit card numbers tied to names, addresses and telephone numbers. When you add to that the private information they’ve added to the customer’s record consisting of their income and date of birth, no doubt the only reason these companies have avoided numerous breaches already is because the crooks have been concentrating on the larger quarry. The Storm Worm was released through e-mails in April of 2007, and was associated with a European storm to entice recipients to open the message. Using the same ploy with junk mail catalogers could open the door to millions of U.S. households’ personal data, and create thousands of ID theft victims. It could happen because, from my experience as a former data broker, junk mailers don’t have any higher security levels than recently breached companies like TJX (TJ Maxx, Marshalls), or GE Money’s loss of a tape affecting 650,000 J.C. Penny customers. The Hoffman piece also indicated that these companies collecting personal data would start reducing the amount that they take in. I can unequivocally state that the junk mail industry will not take this path, and for one major reason. They survive from the collection and sale of your names and private information—a $4 billion annual list business—and if anything, will only increase this activity. You might be able to live with it if you received a piece of the action, and, of course, had control over your sensitive data.

Saturday, March 08, 2008


I recently received an e-mail from a junk mail list company looking for lists of cell phone numbers with postal addresses. Reading further, INFO Direct says to other list managers that, if they have telephone number lists available, the company has a way of identifying which of those numbers is a cell phone. They want this list for a non-profit organization. This is mentioned in relation to a bill in the U.S. Senate to limit how cell phone numbers can be used. Senate Bill 2454, introduced by Barbara Boxer from California, contains two major components: 1) it gives consumers the right to decide whether they want their cell phone numbers listed in any directory; 2) your cell phone number cannot be sold without your permission. The bill was brought before the Senate in mid December, 2007. I received the e-mail looking for cell phone numbers February 18, 2008. My point is that the junk mail industry will go to any length to collect and sell your personal data. The question arises whether the above shenanigans could be used to skirt SB 2454, when it becomes law? Speaking about identity theft, Robert Siciliano, a personal security expert said, “…apparent carelessness and lack of concern on the part of businesses everywhere is a major factor leading to these kinds of breaches. This was in reference to just four security breaches reported in January of 2008 that outed the private information of close to one million consumers. See article. At the same time, Siciliano stated, large companies are attempting “…to blunt the strength of proposed data breach–notification legislation. And in an additional comment, “…with the exception of token yearlong access to free credit report monitoring, consumers end up with the bill. The piece goes on to highlight particular incidents and document data breaches, but you get the idea. Business and government do not want to be regulated in the collection and selling of your names and personal data unless they can write the bills that govern how they do it. Headlines like “DMA (Direct Marketing Assn.) Fears Do-Not-Mail Legislation” from junk mail publications, and I did a post on this February 28. But the real concern is shown by new lobbying efforts by companies like ChoicePoint. CP is the junk mail data broker that led off the declared procession of personal data breaches starting in February of 2005. I say “declared” because it took a California law, SB 1386, passed in July 2003, to get the ball rolling where companies were compelled to notify those affected in a data breach. Prior to that your private information was lost on a regular basis—as evidenced from my experience as a data broker—but was never disclosed. CP spent $1.4 million on lobbying Congress and government agencies in 2007, according to Int’l Business Times, through firms like the one John Ashcroft formed after exiting as W’s Attorney General. ChoicePoint and all the other data brokers and junk mail companies would like to see federal legislation that would provide standard control over their activities, as long as they can write the law…in their favor. I would rather see federal legislation written in favor of the consumer for a change, granting them control over their names and personal data. The question is, who will win?

Friday, March 07, 2008


With 2007 a banner year for personal data breaches, the outlook for 2008 will no doubt be measured with how much we’ve learned from this experience, and what and how much we are doing about it. There is definitely some progress, but many privacy advocates—myself included—feel that we have simply waited too long to address the identity crisis with a firm approach. The consumer has completely lost control. Further, my thinking is that the core of this dilemma that has reached enormous proportions is that business and government will not accept the fact that the only solution to the problem is to give individuals control over their names and personal data, and compensate them when it is sold. By paying the name-holder a fair price, there is incentive for them to take charge of this control and handle it like any other responsibility in their every day lives. The latest analysis of the state of ID theft comes from Stephanie Hoffman of ChannelWeb in her article, “Data Loss Prevention Trends to Watch in 2008.” Right off the bat the Ponemon Institute tells us that the total average cost for lost or exposed data grew to $197 per compromised record. Harking back to the data breach that started all this, ChoicePoint’s loss of 163,000 private records to Nigerian identity thieves, that would cost CP over $32 million. The biggest ever breach, 94 million records from TJX (TJ Maxx, Marshalls) in early 2007 comes to a cost of $18.5 billion. I would like to ask TJX the question, “If I could give you back that $18.5 billion, along with the losses in your stock and customer goodwill, would you relinquish control over this sensitive data to the name-holder?” As far as I know, no one has added up losses like these to reach a grand total, but suffice it to say, it would build a lot of schools and pay for a lot of medical care. In Hoffman’s piece, she quotes Ted Julian, VP of marketing and security for a database security company, as saying: "People are saying 'let's step back and realize our data is under siege, what's of value that we need to protect and where is it?'" Statements like this just prove how far-removed business and government are in recognizing where we actually stand in the identity crisis. If we don’t know what data we should protect and where it resides by now, the ID theft meltdown is in much worse shape than any of us could imagine. On the pessimistic side, Ponemon feels that business and government will not be able to keep up with the “sophisticated methods” of the crooks, as they begin to focus their attention on the databases that house all this private information. And just from my experience as a junk mail data broker, there are thousands of them out there. Another threat is the resurrection of the Storm Worm virus, a malicious program that spreads through computers without any help or detection. More on this next week.

Thursday, March 06, 2008


If that headline didn’t blow your mind, the fact that there is a certain amount of truth to the statement should. Apparently, Julius Caesar used a simple letter-shifting code to secretly get the word out to his generals, according to Phil Dunkelberger in SC Magazine. It wasn’t encryption as we know it today, and neither was the abacus, which preceded the calculator, but it worked. Julius did establish a precedent since the military continues to use encryption to protect battlefield communications and the men and women who use them. The question is, if the idea that this sort of procedure can protect our personal data has been around for over 2008 years, why hasn’t business and government seriously considered its use in their data collecting, and before we ended up in the current identity crisis? There are applicable answers, but neither justifies the position the consumer is in today in the way their name and private information is recklessly handled and sold. Excuse number one: cost. Excuse number two: the difficulty of implementing encryption and the hardships it imposes through its use. If business and government want every morsel of our sensitive data—and they do actually crave this from my experience as a junk mail data broker—then they should be willing to spend the money and take the time to protect it at all costs. Even when we achieve my goal of granting consumers control over their names and personal data—when it would be nearly impossible to steal one’s identity—there is still the need for encryption. Private information should be secure, and away from the wandering eyes of those not authorized to see it. Dunkelberger says “encryption has played a relatively minor role in protecting commercial data” until recently. He cites California’s breach disclosure law—SB 1386, that requires public notification of any company losing personally identifiable information—as being the “tipping point” that put encryption in motion. But credit must be given to the actual data breach that introduced the current identity crisis, which was ChoicePoint’s loss of 163,000 personal consumer records to Nigerian identity thieves. Another concern the author has is the growth industry in mobile devices that wander outside the “fortress” of data protections like firewalls. Lost or stolen laptops are among the highest sources of data breaches so the concern is well founded, and the obvious reaction is that those machines should house only encrypted data. It is frightening to watch the media report data breach after data breach—Privacy Rights Clearinghouse has documented 55 such incidents since the first of the year—and have to wonder how much, if anything, business and government are doing to stop it. If more of you wondered and spoke up, maybe we could begin to solve this issue.

Wednesday, March 05, 2008


If you haven’t already read it, check out the Associated Press story on how one utility company handles customers’ personal data required for providing service. Milwaukee-based WE Energies apparently allowed employees to surf the private information, snooping on an ex-boyfriend’s account, another to serve court papers, and one who owned property to look at a tenant’s finances. Documents obtained by the AP indicates that this is routine for the utility’s workers, and “a common practice in the utilities, telecommunications and accounting industries, privacy experts say.” Larry Ponemon, founder of privacy research firm, Ponemon Institute, says most of the companies are doing very little to stop it. A lobbying association spokesman for utilities said he wasn’t aware of other similar situations, but the article indicates the industry is pretty closed-mouth. I did some preliminary research and could find no other incidents recently, but this really wouldn’t be considered a breach in the sense of what happened at say ChoicePoint, TJX, or the Veterans Administration. Because WE Energies thinks they have it under control, and because the data hasn’t been used to commit a crime—at least as far as they know—the whole episode could be swept under the table and relegated to yesterday’s news. But that isn’t how Jay Foley, executive director of Identity Theft Resources Center sees it. He thinks the states, who regulate these utilities, should track any employee’s online habits who have access to the sensitive data. Things like the customer’s name/address and payment history, Social Security number, phone number, even income and medical information. I’m sorry but as far as I am concerned, it should have been a crime for those employees to look at that private information for anything other than company business. The company fired or disciplined 17 workers, but who knows what they might have walked away with. The snooping was revealed when one of WE Energies employees leaked information to the media about a Milwaukee mayoral candidate’s late payments on his heating bills. He lost. But here’s what bothers me most: The fact that Ponemon believes these workers with all this access to customers’ personal data see nothing wrong with looking at it from curiosity or for “sinister motives.” It supports what I have been saying for the last three years; the fact that many employees working in data collecting companies—and most every business is—have no respect for the private information of others. I found this prevalent in the junk mail industry list business. Where you would expect the most concern, many times you find the least. It is, of course, a similarity to the attitude of most consumers over the potential of experiencing ID theft. It won’t happen to me. God save the “Apathetics.”

Tuesday, March 04, 2008


You’re probably tired of hearing me talk about how very bad the identity crisis issue is, and quoting statistics that firmly support my statements. I’m frankly tired of having to make this pitch on almost a daily basis, but I do it because the American public has not yet developed a “level of inertia” that drives them to take the proper steps to protect against the fraud. So says Steven Domenikos in his recent article, “Fighting the battle against identity theft” on ZDNet. He also cites two factors that are key in how ID theft is growing at such a rapid pace. First, consumers do not understand the whole concept of identity theft. Second, the way the individual’s sensitive data is spread around databases worldwide provides potential universal and unlimited access by the bad guys. I would add a third: most people think it could never happen to them, so they let others worry about it. I call these the “Apathetics,” those with that low level of inertia mentioned earlier. Domenikos tells us that, even though the crooks have become more sophisticated, as evidenced in phishing and file-sharing scams, they still look in your garbage and steal from your mailbox. Some folks just make it so easy, like not shredding unsolicited credit card offers. ZDNet reports that there is a new trend in ID theft protection, and that is predicting the consumer’s risk factor before it happens. One such company is Identity Truth who uses a combination of your personal factors and behavioral modeling techniques to provide early notification of a possible threat. There is another company with similar services, Identity Finder, which locates where your private information resides outside your control, and gives you the option to shred, quarantine, or move it to a secure location. Both of these companies offer services for a fee that appear to have potential in guarding against identity theft, as compared to the offers that protect you doing what you can do yourself, some with limited success. But time will tell whether or not these new strategies are effective, and we are not yet at that point. Domenikos says further that the “single strongest protection against identity theft would be to not give out any personal information, which is virtually impossible and completely unrealistic in today’s society.” Part two of that statement is correct, but part one is only partially correct. We could still give out our personal data if consumers were granted control over their names and private information. With that kind of situation, we could all sleep at night knowing that out identity is secure in our own hands. And the best part is that it wouldn’t cost consumers a penny.

Monday, March 03, 2008


Chris Hoofnagle, senior fellow at the Berkeley Center for Law and Technology at the University of California at Berkeley, has compiled a report that documents incidents of ID theft with U.S. retailers, telecommunications companies, and financial institutions. The data comes straight from consumer complaints registered with the Federal Trade Commission; 88,000 from January, March and September of 2006, to be exact. It is the first of this style of report I have seen since starting this blog three years ago that would allow consumers to make educated decisions on where to bank, shop, and what cell phone company to choose. MBNA/Bank of America leads the way in incidents per month, followed by AT&T, Sprint, JP Morgan Chase, and Capital One. Macy’s, Comcast, DIRECTV, eBay and Bellsouth have the least complaints. Hoofnagle concedes the report’s limitations: “It needs more information to be useful to consumers.” commenting in a New York Times article. You can see the full 16 page paper here. For some time now we have needed something that would convince consumers just how critical the identity fraud issue is, but, as presented, the report is “Version 1.0,” and hopefully this will expand into something that will aid the public in protecting their names and personal data. Other sources exist: a Chronology of Data Breaches by Privacy Rights Clearinghouse and a similar listing at Identity Theft Resource Center. But as these two non-profits will admit, most of the information is taken from media reports. Now here’s a wild idea. What is needed is two reporting systems to be created; one from the company or government agency committing the breach, and the second from the victims. Both sides would filter into one database that would separate and categorize the incidents, even connecting the breaching party with the victim. Federal legislation would be required to initiate both parts of the plan. First, congress would have to pass a bill mandating that any company or government agency report a breach, regardless of its severity. Another bill would give consumers control over their names and personal data, allowing them to determine how their private information is used. This would include a procedure for individual approval over any transaction using their sensitive data, with the results input to the main database for analysis. Consumer control over their private information could all but eliminate identity theft, but if something did fall through the cracks—the ID thieves are way ahead of us in technology—it would be caught in the system. But that is from my point of view. Chris Hoofnagle was senior counsel to the Electronic Privacy Information Center (EPIC) and was in charge of the organization's West Coast office, before joining the Berkeley Center for Law and Technology. He is a nationally recognized expert in information privacy law, and he has testified before the U.S. Congress and the California Senate and Assembly numerous times. In the abstract from his report, he laments over the lack of information in the identity crisis, and how this is acutely hurting both business and the consumer. Again, from my perspective, it is beyond me how we have escalated to new heights in this dilemma, considering the severity of the increases in ID theft in 2007, yet are still stagnant at the federal level when it comes to any legislation, and still lacking at the state level with laws that truly protect the consumer.