Search This Blog

Friday, June 20, 2008


Today is my day to jump on the soapbox, and bombard readers with another warning about how your name and sensitive data are collected in an industry where profits rank far above security. Even though it has been said countless times, it deserves another outing, particularly with identity theft still soaring.

If there is one thing that should be remembered by junk mail shoppers, it is that when you order a product or service from a junk mailer, or request information from a non-junk mail company, your name and private information is the real prize in the transaction. Unbeknownst to many consumers, that sensitive data is rushed at lightening speed to a computer facility where it is prepared to be sold, often within 24 hours. Sure, they will deliver your product, or service, or requested information, but that is almost an afterthought to many companies that survive from the marketing of your names and personal data.

And that is not the purpose for which you gave them your name, address, telephone number, credit card account, etc. You gave it to them to deliver what you asked for, not sell it to 50 other junk mailers that, if you should order something from them, will sell it to another 50 companies, and on and on. I also mention non-junk mailers because they are quickly catching up with the traditional list business in collecting names and private information, also putting it up for sale. The most glaring example of this is pharmaceutical companies who buy your prescription data from your local pharmacy.

And the process does not end with the information you provide the junk mailer. Not satisfied, they go to major data brokers like ChoicePoint, Acxiom, Experian, Equifax and TransUnion to enhance the information they already have on you. Things like your age and income, home value, credit cards you carry, children’s names, where you work, what you drink and read, and whether or not you gamble. The last I checked, there were a minimum of 250 known demographic and lifestyle characteristics that could be added to your name and address.

There are now around 60,000 lists on the market that gross over $4 billion each year by the junk mail list industry. Most of these lists are not regulated by the Direct Marketing Assn. (DMA), so they are free to do what they please with your name and personal data. Most are honest, but it is the group of renegades that will sell your private information to unethical and dishonest companies that ply us with fraudulent offers, then vanish into the night.

Selling mailing lists has created a life of its own, and with the way new technology is evolving, every day there are new ways to suck up every morsel of private information available on each of us. Although I cannot confirm this, I bet that there is a new database filled with consumer sensitive data born every hour. Maybe even more often. Question if you will, but we have entered the age of Orwell’s Big Brother.

Thursday, June 19, 2008


I am proud of my state for passing a law (AZ House Bill 2677) that basically prevents the enactment of the Real ID Act in Arizona. I am equally proud of Governor Janet Napolitano, a Democrat, for signing it into law on Tuesday, June 17. In case you have forgotten, the Real ID Act mandates a universal driver’s license issued by each state, with personal data on each individual citizen to be compiled in a national database of sorts.

This massive amount of private information on individuals will be controlled by the Dept. of Homeland Security (DHS) and the agency has already said it might add to the state-supplied driver’s license data. I remind you that the government is responsible for 20 percent of all data breaches.

In the beginning, DHS said that non-compliance would prevent state’s residents from participating in some federal programs, most importantly, not being able to board airline flights through the federally operated Transportation Security Administration (TSA). But in January DHS Secretary Chertoff said that other forms of identification will be acceptable to fly. DHS had originally granted an extension for compliance to all states until December 31, 2009, and then, again in January 2008, further extended it until 2014, 2017 for those over age 50. More info from DHS here, and a detailed explanation from Wikipedia here.

Homeland Security says this is not a national ID card, but what else can you call it? With a shared pool of information containing the most sensitive of personal consumer data available to all the states plus the federal government, and one similar ID card carried by every citizen in the U.S. as their identification, I’ll let you decide what we call it. Anyway you label this planned monstrosity, in the end it will still result in a new, ready-made source for identity thieves.

Aside from invading the privacy of every American citizen, the cost that would be borne by states is prohibitive. In a joint report from the National Governors Association, National Conference of State Legislatures, and American Association of Motor Vehicle Administrators, the cost nationwide would be more than $11 billion. When DHS handed down the final regulations on compliance in January of this year, several observers indicated the delayed deadline would do little to ease funding concerns, according to The delay is thought to reduce that $11 billion to about $4 billion, however.

Jeremy Meadows, senior committee director for the National Conference of State Legislatures confirms that, “despite the concessions, DHS didn’t heed a number of other requests from states. Funding and privacy concerns appear to have gone ignored.”

Homeland security hasn’t yet made a final decision on just how the central collection of personal data will be organized, as well as how it will be shared. At this point it is very confusing re. what the level of intrusion into individual privacy will be. What we do know is that if the Real ID Act does take effect, that alone will be an invasion of our privacy. See more FAQs on Real ID here.

Wednesday, June 18, 2008


It’s always been going on, but the Internet is “fast becoming the new nexus for fraud, scams, and identity theft—and the losses appear to be mounting.” This is a quote from the April 4, 2008 Internet Crime Complaint Center (IT3), as reported in IC3 is a partnership between the FBI and the National White Collar Crime Center. The report claims that American consumers lost $239 million during 2007 in Internet-based fraud schemes, up from $198 million in 2006.

Investment and retirement scams were highest with a median loss of $3,547 per complaint; check fraud at $3,000 per; and the historic Nigerian scam at $1,922. California leads in fraud perpetrators, followed by Florida and New York; 75 percent of the perps are male. And you will likely be contacted by e-mail by the scammer, followed by Web site visitation, then telephone or instant-messaging chats.

The Nigerian, or 419, scam dates back to the 1980s when the oil-based Nigerian economy declined, and unemployed college students started hustling first businessmen in the west, then spread out to consumers in general. They started with letters, faxes, or Telex, then graduated to e-mail as the preferred way of contact. The number “419” refers to the article of the Nigerian Criminal Code dealing with fraud, according to Wikipedia. The lesson here is the simplicity it takes to create a full-blown, worldwide scam, dreamed up by students with nothing to do, resulting in losses to victims in the millions.

The bad guys are using the same means of contact that are used in the junk mail industry to sell their products and services, thus, a familiarity by the recipient if they also shop by junk mail. I don’t know what customer profile selection the Nigerian used in acquiring 163,000 names from ChoicePoint in February of 2005—the beginning of the ID theft debacle—but as a former data broker, my guess is “opportunity seekers,” called a “mooch” list. So named because of the gullibility of the people on the list who are known for responding to offers that are in fact too good to be true.

The FBI, supported by outside security analysts, says the reported crimes received by IC3 is only a fraction of what is really occurring. This is a result of both business and consumers not reporting incidents for a number of reasons, including the time necessary to do so. Still, the FTC has determined that consumer fraud in 2007 totaled $1.2 billion, averaging $349 per individual.

Chris Hoofnagle, senior staff attorney to the Samuelson Law, Technology & Public Policy Clinic and senior fellow with the Berkeley Center for Law & Technology, a known privacy expert, has found in an initial study that “many of the world's largest corporations' customer records were the most frequently pilfered for identity theft and related fraud.” But he adds that this is only a first attempt and that further research is necessary.

This is a point I have been making for three years of blogging, based on 35 years in the junk mail industry observing the negligent handling of consumers’ names and personal data. When you combine this carelessness in the business community, including health care and the government, with the explosion of Internet technology and growing sophistication of the identity thieves, you have a potential disaster in the making.

Tuesday, June 17, 2008


Facebook has been dogged by privacy issues in the past, but the latest could be the one that eventually convinces its users that they are potentially submitting their personal information to anyone in the world who cares to read about it. That is…unless they apply the controls provided by the website that limits where their sensitive data goes. Unfortunately, most Facebook users are in such a hurry to make contact with their friends that security is the last thing on their minds.

Adrienne Felt of the University of Virginia looked at a feature provided by Facebook which allows outside developers to create small programs called applications for its members for things like playing poker, getting daily horoscopes, and sending each other virtual fantasies. According to The Washington Post, since Facebook started this a year ago, “about 24,000 applications have been built by 400,000 developers.” David Dixon, an information technology consultant, recently deleted all his applications after hearing that these developers might have access to his private information.

Felt says that once developers have your personal data, Facebook can’t do anything about it. She also found that 90 out of 150 of Facebook’s most popular applications (that’s 60 percent) have unnecessary access to personal data. One applications provider thinks “leveraging that data would make a lot of sense.” He does add that no plans “are in the works” to do that. That’s the same thing junk mailers said years ago when they began collecting consumer sensitive data.

And then our friends to the north in Canada have made their concerns known when the Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed a complaint in May 2008 asking the country’s Privacy Commissioner to review what CIPPIC felt were “various violations of Canadian privacy law,” by Facebook. reports that Facebook’s policies and practices were analyzed by a “team of law students” resulting in the discovery of these violations of the Canadian Personal Information Protection and Electronics Document Act (PIPEDA). Although some of the issues are somewhat picky, like making it hard to delete some things, others are substantive, like a user’s inability to cancel their account and all the data with it.

Other violations by Facebook include asking for the member’s date of birth for no obvious reason, which, along with the person’s name and address, is one of the key ingredients for identity theft. CIPPIC says that Facebook fails to get the “express consent” of users to share their personal information by making all information partially public by default, requiring the member to change privacy settings later.

But the granddaddy of complaints is over Beacon, a system that allows partner sites like Blockbuster, Fandango and forty others to share users’ “off-Facebook” activities with the website. Initially you had no choice, but after an outcry, the company changed a number of privacy settings to prevent publishing by default.

Technology is exploding, and it is the younger set (under age 29) that both understands best and makes the most use of cyber space. They also account for over 25 percent of Internet fraud complaints, a number that is likely to increase if they aren’t taught the potential disaster of the “willingly-without-regard-to-the-consequences” giving out of their sensitive data. On comparison, the 60-plus age group files less than 10 percent of the total complaints. Apparently us old farts aren’t as far out of it as we might have thought.

Friday, June 13, 2008


If you want to reinstate George W. Bush’s tactics of wiretapping the international telephone conversations and e-mails of innocent Americans, then you have a choice in candidate John McCain. According to the New York Times, Douglas Holtz-Eakin, a top McCain adviser, says McCain “believes that President Bush’s program of wiretapping without warrants was lawful.” McCain says it is authorized by Article II of the Constitution, which pertains to those powers vested in the President. Bush did it and McCain supports the National Security Agency wiretapping, despite the Foreign Intelligence Surveillance Act of 1978 which requires court oversight.

How did the public feel about the NSA spying? In an NBC/WSJ poll in January of 2006, “51 percent approve of the administration’s use of these wiretaps — without a court order — to monitor the conversations between al-Qaida suspects and those living in the United States, compared with 46 percent who disapprove. However, 56 percent say they’re concerned that such wiretaps could be misused and could violate a person’s privacy.” McCain also doesn’t think an apology is necessary from the telephone companies to their customers for giving up our private information in support of the illegal wiretapping.

The key to the above statement is “conversations between al-Qaida suspects and those living in the United States,” my emphasis. Unfortunately millions of innocent telephone and Internet customers were spied on to accomplish this ill-planned, emergency action. On the one hand McCain says sometimes the statutes don’t apply to the president, but on the other hand he says, “I don’t think the president has the right to disobey any law.” You can’t have it both ways, but, then, if that’s what he wants, we can be assured of a continuation of the policies of the Bush administration.

A New York University law professor who specializes in executive power issues comments that the latest McCain statement is a contradiction of what he said six months ago to the Boston Globe. At that time the Republican candidate “strongly suggested that if he became the next commander in chief, he would consider himself obligated to obey a statute restricting what he did in national security matters.” Greg Craig, Obama campaign adviser, suggested that anyone reading this would be “totally confused” about John McCain’s position on the issue.

McCain most recently voted for legislation to hold telecommunications companies unaccountable for their action in the NSA spying. The bill also legalizes a form of surveillance without warrants. Salon columnist, Glenn Greenwald, thinks all this is just another ploy by McCain to bring back support of the right-wing-extremists.

And on yet another flip-flop at a conference on computer policy, McCain spokesperson Chuck Fish said the Senator wanted to temper his attitude toward those NSA spying cooperating telecoms saying “they should feel free to disregard communications privacy laws in the future if a president tells them to.” When Wired magazine published the remarks, the McCain campaign said Fish was mistaken. Further, that the Senator’s position—whatever that was—had not changed. Again, my emphasis.

Thursday, June 12, 2008


As the data breaches march aggressively on (a grand total since Jan. 2005 of 917, outing 227.3 million personal records), researchers from Carnegie Mellon University say state data breach laws don’t work. There are 43 states plus Puerto Rico that have enacted legislation, and you can check your state’s law here. If other states’ legislation is anything like Arizona where I live, you can understand why it hasn’t worked. The reason is that in many cases it is up to the company doing the breaching to determine if the loss of the individual’s sensitive data is likely to do any harm. That’s like giving the crook your credit card and asking him to let you know when he uses it.

In the TechWorld article, the Carnegie Mellon research team leader, Sasha Romanosky, says, "There doesn't seem to be any evidence that the laws actually reduce identity theft." The data came from the Federal Trade commission and included identity theft complaints filed between 2002 and 2006 to determine if state laws like California’s SB 1386 were effective. Well, they weren’t, and since the state legislation route was our only hope due to inept U.S. congressional leaders that have yet to come up with a workable identity theft law, where do we go from here? I’ll tell you where.

Form a grass-roots movement—like the one I have been raving about for three years—and force Congress to pass legislation that will give consumers control over their names and personal data, and compensate them when it is sold. It would be up to you to determine who can have access to your private information, and just what kind of junk mail or non-junk mail material you want to receive. My plan is simple and practical, easy to launch and maintain, with the result secure sensitive data for the first time since technology took its giant leap.

Carnegie Mellon admits the data isn’t perfect, but, as they perhaps beseechingly put it, it’s all we’ve got. And that in itself is a tragedy, since we are dealing here with the number one consumer fraud in America. Maybe the reason we don’t have well organized figures on ID theft is because Washington wants it that way to keep from having to address the issue. You can see the complete Carnegie Mellon study here. It’s due to be presented at a conference on information Security Economics at Dartmouth College later this month.

In the “Abstract” at the beginning of the study which is basically a summary, the conclusion is drawn that it cannot be decided, based on the data, that state laws have had any affect in curbing identity theft. However, the Carnegie Mellon team does give us a ray of hope in exclaiming that the state laws could be having other benefits such as reducing a victim’s average losses, and forcing business to clean up their security act. We’ll take anything we can get.

Wednesday, June 11, 2008


There is no doubt in my mind of the need for having our medical records organized in such a way that it both benefits the individual, but is also available in an emergency to prevent an accident by a caregiver, or even death. This is not a scare tactic like the cancer insurance of years ago, but rather a need made necessary by today’s lifestyles. Besides, instant answers, thus immediate decisions in medicine, have always been one of the biggest assets to hospitals, doctors and nurses.

But most of us are leery of giving out this most precious of our personal data, and you should be based on the current rate of medical identity theft. As of today there are over 227 million personal records exposed by breachers, over 15 percent of which is health data.

In yesterday’s post, I started a review of a company I feel has all the ingredients for benefits to the consumer in maintaining their health records, plus security protection standards that are above average. In May I had done a series on the inevitability of the latest trend of computerizing medical data (here, here and here), and endorsed the concept with reservations. My concern was finding an organization that would do this in a way that would exceed the security standards of today’s typical data collectors, many of which are guilty of losing or exposing so much sensitive data.

One such company that exceeds today’s security standards is, and I want to continue in a review of qualifications that, as a privacy advocate, I find commendable. Some of the highlights from yesterday start with the fact that MMR started by first making sure of consumer data security before proceeding with their business plan. Access to private information is restricted, and a fact I failed to mention in my earlier post was MMR’s low cost of $9.95 monthly, or $99.95 if paid annually.

Getting back to the study conducted by MyMedicalRecords, in a comparison with Microsoft’s HealthVault, there are a number of “haves” and “have nots” between the two providers. MMR accepts secure fax documents; HV does not. MMR has voice mail capability for confidential messages; HV does not. MMR allows the sorting of records by date, family member, etc; HV does not. MMR gives users a search function; HV does not.

And finally, HV’s information sharing feature within the necessary third party structure is a somewhat complicated process of steps. MMR, on the other hand, has a fully integrated system within the company, no third party providers, and with a procedure designed to effortlessly allow the flow of information between user and health caregivers. MyMedicalRecords’ privacy policy is standard with typical protection required by law.

You have to make the decision if you are ready for this, but, if you are, by all means shop around, but from what I’ve seen, you must consider

Tuesday, June 10, 2008


It isn’t often that I get a chance to talk about a company that collects your name and private information and do it on a purely positive note. If the business I am talking about is assembling your personal medical data, my skepticism and curiosity both rise significantly. The skepticism part wasn’t necessary, but my curiosity got the best of me when I learned about yet another Personal Health Records Provider (PHR)., headquartered in Los Angeles, “seeks to empower health care consumers and medical professionals by facilitating access to consumer medical records and associated vital documents (such as living wills, birth certificates and insurance policies).” Founded in 2005, “Our Mission is to give consumers greater control over their personal health and medical records, as well as other vital information.” It was the “give consumers greater control” phrase on their website that caught my eye, and led me to an intensive inspection of just how the company operated.

I was both surprised and elated by the transparency of their representative, Scott Smith, MMR’s Director of Public Relations. Starting with a comment on this blog’s recent post series, “How Long Before We Accept Inevitability of Personal Health Records Databases? Part 3,” Scott very diplomatically introduced me to MMR, which I had somehow missed in my research of PHRs. It had been my loss because over the period of a couple of weeks, I found a company that started its business by first making sure consumer privacy issues were firmly dealt with, which is unheard of in the junk mail business where I come from. With that in place, they went on to develop a program that deserves your attention if you are searching for a PHR.

To begin, MMR requires all record input via fax or file upload. Fax eliminates the risk of transmitting data over the Internet, but their browser does support 256 bits of encryption. Accounts are secured by a unique combination of user ID and password, and protected from multiple attempts to open an account. MMR employees have no access to any information, and I am assured there is a complete purge of data, including backup storage, when a participant cancels. This kind of company—compared to doctors and hospitals—is not subject to HIPAA, but MMR still conforms to its guidelines.

In a study by MyMedicalRecords comparing its features to Microsoft’s HealthVault, the service offered by MMR is fully integrated with a multiplicity of tools that allow the person to manage their personal health care information, including actual copies of medical records. According to the study, HV is like a centrally located computer server connecting to an array of third party service providers, each requiring individual set up and coordination.

There are other important comparisons. First, the HV sign-up involves 4 steps compared to MMR’s single step. Although HealthVault as a stand alone is free, many of their third party services you might want or require are not. Added together they could total $407 per year, and include CapMed Online, Peakworks fitness management, eSound Health Food Journal, CapMed Ice, which allows Physicians to access emergency information, and the MySelfHelp module dealing with grief and depression.

Also, HealthVault does not accept the faxing of documents from third party providers for things like lab tests, radiology reports, patient charts, but MMR does. None of HV’s third party services offers voice mail or a built-in drug interaction tool which come with a MyMedicalRecords account.

There’s more and we’ll get to it in the next post.

Monday, June 09, 2008


You want change, Senator Obama? Here’s an idea that might take you back to the very roots of the Democratic party of yesteryear when it still believed in individual rights.

Social Security income—or any retirement plan for that matter—could be supplemented using junk mail. This approach would solve the problem of those who hate junk mail, turning some of them into believers, and it could be a boon to the industry. And, those loyalists who choose to sit at home and shop will finally be rewarded for something that already comes natural for them. It would also appease the movement to stop unwanted junk mail. See earlier post. First, let me cover some of your positions on Social Security and retirement.

As our next President, you would want to protect Social Security, and one of the ways you would do this is through using the payroll tax system by increasing the maximum amount of earnings covered by Social Security. You are “forcefully” against the privatization of SS, but want to help Americans save more in some form of automatic savings plan. The latter could be accomplished by re-directing half of the income realized annually by junk mailers ($4 billion) in the sale of consumers’ names and personal data. And, why not?

Without this name-holder and their sensitive data, there is nothing for the list industry to sell, so it is only right that these individuals should be compensated for the sale of their names and private information. At the same time, they take control over their sensitive data, and determine just who may have access. I am not suggesting that they take ownership, just control. I call it the Name & Personal Data Annuity (NPDA), and it works this way.

Junk mailers gross $4 billion annually from selling names and personal data, and this continues to grow each year. It is actually a by-product of the sale of their merchandise or services, and consumers have been kept in the dark for years over the manipulation and sale of this private information. NPDA would not only provide rightful compensation to the name-holder, it would also give them the power to determine just who can use their personal data.

A consortium would be formed with both private (privacy advocates/business) and government oversight. Junk mailers would forward half the income from monthly list sales ($2 billion per year) that would be invested in a national account similar to Social Security at a simple interest rate. As an example, the lucky participant who starts this method of shopping at age 18 (and a great majority do) could supplement their retirement income in an average amount of $607 monthly. The more you shop, the more your name is sold, and the higher that $607 goes.

Even the 78 million baby boomers you have quoted that will be retiring in the next ten to twenty years have a shot at realizing benefits from NPDA. There is another advantage. Through the accounting methods that the consortium would use to screen junk mailers who sell their mailing lists, organizations like the FBI and FTC will have better insight into their activities, and will be able to weed out more of the crooks.

Senator Obama, I sincerely hope that you will take a look at my NPDA concept, and consider its incorporation into the party platform for the November 2008 election.

See additional posts on supplementing Social Security with junk mail here, here and here.

Friday, June 06, 2008


Although this might be old news to some, the subject deserves new perspective from an insider that understands just what was going on when John McCain used his mailing list as collateral for a bank loan earlier this year. The insider is me, with 35 years as a junk mail list/data broker selling mailing lists of consumers—and in this case, contributors—along with their personal data to business and political campaigns. Richard Viguerie—you never call him Dick—started the political genre in Virginia, just outside the nation’s capital, with his conservative agenda, and a knack for putting together fundraising mailings.

I was working for a now defunct company in Washington that had several clients in the philanthropic area, including some politicians and political parties. We managed client contributor lists, and collected a 10 percent commission for this function, which included promoting and advertising the lists to the junk mail list/data broker community. In many cases the company also acted as the list/data broker and could collect another 20 percent commission.

That’s right. One building, one person, and literally one transaction could gross the firm a total of 30 cents on every dollar of revenue. If you were greedy you took it. If you had a conscience—which I managed to develop along the way—you negotiated the commission down. Political lists today sell for around 10 cents per name as a base rate, 17.5 to 20 cents base with e-mail address, but the cost just goes up from there.

The candidate would want to select a party, and the fact they have a credit card and made a minimum donation amount. Donor’s age might be important, their income, whether they own their home, and if they respond to junk mail. Telephone number would be a must, and marital status for the family approach. Add it all together and you tack another 10 cents on, which, if you are talking about e-mail lists—and most candidates are—totals 30 cents for each name, or as we say in the business, $300 per thousand names. The industry average is around 15 cents a name or $150 for a thousand names.

Earlier when John McCain’s campaign was in dire financial straits, it borrowed money from its bank using its mailing list as collateral. In a Jan. 9, 2008 article on Politico, McCain campaign manager, Rick Davis, said “The windfall from selling or leasing such a list was sufficient to get them their cash.” Couldn’t have said it better myself. The next day, Politico posted another piece, “McCain loan could violate donor privacy,” because the candidate’s privacy policy clearly stated the donors’ names would not be sold. In all likelihood it won’t be sold or shared until the November election, but after that, the potential is astronomical in future conservative causes.

I don’t know how many donors McCain has collected, but Mike Huckabee, an earlier competitor and now possible running mate, amassed a file of 3.2 million names while he was running. If McCain hasn’t equaled that, there is something wrong with his strategy.

Here’s the math on 3 million donor names selling at 30 cents per name. First of all, we narrow the file down to its best donors which would probably net 1.5 million names. One turn of the list grosses $450,000 dollars. But the number of times it could be sold in the period of a year is between 25 and 50 times. Let’s be “conservative” and say it is sold 35 times. The gross revenue for one year could reach as much as $15,750,000.

Now you know why John McCain is still in the race for president.

Thursday, June 05, 2008


I hesitate to throw statistics at my readers, but, as they say, there is safety in numbers, and the best way to illustrate the identity theft problem is to expose the numbers. Millions of them. Brian Krebs in his Washington Post “Security Fix” column posted this past April 2, reported that 8.3 million personal and financial records had been compromised since January, resulting from 167 data breaches. In all of 2007 there were 448 data breaches recorded. The statistics come from Identity Theft Resource Center.

Now get this; since April 2, 2008, the number of records exposed has grown to 16, 683,718, doubling the first quarter in just an additional two months. It took only 131 more breaches to reach the twofold mark, for a total today of 298. That means we are already at 66.5 percent of 2007 in only five months and growing. There was a large breach at Hannaford Bros. super markets of 4.2 million, but this sort of thing seems to be happening on an annual basis. Remember TJX (TJ Maxx, Marshalls retail stores) where 94 million credit and debit card numbers were lost to hackers last year?

Krebs confirms figures that we have seen quoted before showing business accounting for around 36 percent of the data breaches; next, schools and universities 25 percent; government and military 18 percent; health care 14 percent; and banking and financial 7 percent. See the industry breakdown here. Additional figures are the fact that 13 percent of breaches are from outside hackers; the majority of data loss from lost or stolen laptops. And insiders still do play a part in this fraud.

It is most interesting to see who the players are and they are a broad range from business to government, military, universities, hospitals, and huge lending institutions. To mention a few: the IRS lost 15,000 records, Pfizer, a repeater, 13,000; the Marine Corp. 17,000; University of Miami 2.1 million; Staten Island U. Hospital 88,000; Bank New York Mellon Shareholders Services 4,504,690; GE Money-Americas 650,000. In all cases some type of personal data went missing which included from name and addresses to Social Security numbers to medical records.

ITRC says some of the things prompting the increases in breaches are consumer awareness and mandatory laws for reporting where business would prefer releasing the bad news rather than have it come from the media.

I encourage you to go to the ITRC site and click around on the different choices. Under Consumer Resources there are Prevention Tips and Consumer Guide. Victim Resources provides Solutions and Letter Templates. And the State and Local Resources button will lead you direct to your state with complete information on what help you can get at the local level. It is only through education and preparedness that we can eventually eliminate identity theft, and you must do your part.

Wednesday, June 04, 2008


Obama has the Democratic Party’s nod as its presidential candidate in November; something that still has to be confirmed at the August convention, so now is the best time to evaluate his credentials as a supporter of consumer privacy. McCain didn’t take long to appraise, because he has no real positions on this important issue, must less addressing the problem of identity theft. Unfortunately, Obama lends little to the right to privacy movement in the way of specifics.

He, as did McCain, sent his representative, Daniel Weitzner, to the annual Computer Freedom and Privacy Conference recently in New Haven, Conn. In a Los Angeles Times Blog, Weitzner says Obama wants to “preserve and enable the growth of the Internet with its current openness properties.” Further, that the candidate is “committed to strengthening privacy laws…” So far, only generalities. In more of the same, wants to make government more transparent, and was outraged over his confidential passport files being looked at.

As compared to Hillary Clinton’s introduction of privacy legislation—although nothing has passed so far—Obama has not brought any bills forward for the protection of consumer privacy. Back in February of 2006, on the floor of the Senate, he attacked the PATRIOT ACT as overreacting to law enforcement power at the expense of individual rights. In a campaign blog published in December of 2007, he mentions the “P” word five times in his belief that a person’s privacy must be balanced with the protection of the nation’s security.

Ideas are great, but consumers need to know now, today, how their names and personal data will be protected starting in January 2009. It certainly hasn’t been in the last seven and one-half years.

Turning to health privacy and Pogo Was Right/Chronicles of Dissent re. Obama, the same thing happened here that happened to me when asking the campaign a question, and requesting an interview on the candidate’s positions. A quick response that they would get back to me, then I began to receive unsolicited campaign mailings, but never had my questions answered, nor any additional information. I even contacted the guy in charge in Arizona, but still heard nothing. Not a way to encourage votes. Pogo found no evidence the Senator ever addressed health record privacy, except for his “Plan for a Healthy America,” which you can see here.

Finally, in a presidential announcement speech February of 2007 in his home state of Illinois, one of his major points was to “Safeguard our Right to Privacy.” Again Obama mentions the “P” word seven times, rambles about the need for privacy protection, and says he will strengthen privacy and hold government and business accountable for violations. He just doesn’t say how he’ll do it, or even give us a hint.

How could we be entering the general election phase of the 2008 presidential election without one of the contenders talking about how they will stop identity theft, the biggest threat to voters’ privacy that has come along in years? If the candidates don’t care about the privacy of the individual in general, let them at least address the number one consumer fraud today: ID theft. If no one does soon, maybe the slate for president isn’t complete yet.

Tuesday, June 03, 2008


California State Senator, Ron Calderon, a Democrat, has proposed legislation that will allow your local pharmacy to share and sell your confidential medical information to pharmaceutical companies and third party corporations (data brokers). Included for sale are the medications you take, and it could be done without the patient’s consent if SB. 1096 passes into law. The Consumer Federation of California in a release reports that, "Under this bill, an individual’s private medical prescriptions become commodities to be marketed and sold for the purpose of increasing corporate profit, not improving public health."

It has already been done, minus support of a law like this, in certain other states, one of which is where I live in Arizona. Albertsons/OSCO sold our family’s medication records to drug companies, who bombarded us with mailings over several months. Although these mailings stopped, the question still arises of where this private medical information, plus Social Security numbers, name/address, etc., are still warehoused. I can assure it has not been deleted from the pharmaceutical companies’ databases.

Californians should contact their representatives, and the media, to let them know how you feel. The other 49 states can only wait and see the outcome of this bill. Unfortunately, so goes California, so goes the rest of the country in many cases.


In my last post, Senator Clinton had strongly recommended a Privacy Czar that would serve under Homeland Security, and straighten out the government’s handling of consumer sensitive data to both protect the individual’s privacy, while keeping the U.S. secure. Next we turn to the privacy of health records where Hillary shines in an array of introduced legislation, but still no bills passed.

From Pogo Was Right/Chronicles of Dissent, there was the Patients’ Privacy Protection Act of 2004, S. 2827, designed to close loopholes in Federal Rules of Evidence that would make sure “every American’s medical records remain confidential.” In other words, all that good stuff you lay on the line with your doc stays with the doc. A judge would have to rule otherwise, but at the same time maintaining patient privacy to the best of his or her ability.

Then, the candidate supported the Genetic Information Nondiscrimination Act of 2005, S. 306, to “maximize advancing technology’s benefits while protecting Americans from the use of genetic information as a tool for discrimination.” And there was the SAFE-ID Act, S. 810, mentioned in yesterday’s post, when related to healthcare, provides the same protections for personal health data in the U.S. and overseas. In referring to the Health Insurance Portability and Accountability Act (HIPAA), Clinton says that HIPAA was meant to have teeth, but laments the 35,000 complaints received based on the act with not one monetary penalty having been levied.

In the Senator’s American Health Choices Plan introduced in September 2007, Pogo points out that privacy is mentioned only once, and that is in a heading on page 7, reading, “Ensure That All Providers and Plans Use Privacy-Protected Information Technology.” You can’t blame the candidate after suffering all these defeats in the passage of a series of well-conceived and well-written bills on privacy. She can be faulted, like all the others, for not insisting that this issue be included in the party’s platform.

Hillary believes we can balance privacy rights and national security using the Foreign Intelligence Surveillance Act (FISA) that Bush whined was too slow. This would be done in three ways by 1)giving Congress oversight over the issue, 2)first seek a warrant for the surveillance, and 3)maintain effective intelligence gathering according to law.

WIRED did a good piece on the candidate back in January of 2007, entitled “Hillary: The Privacy Candidate?” The time period seems almost ancient based on recent developments in the presidential campaign. According to the article, Obama and Edwards have addressed privacy issues throughout their career but “Clinton’s approach is notable for its range and detail,” according to privacy advocates. Chris Hoofnagle, a law professor at UC Berkeley's School of Law and privacy expert said: "Sen. Clinton's plan is well-informed and the most sophisticated statement in recent years by a presidential candidate on privacy issues."

Although I haven’t been able to uncover the source for this statement, WIRED says Senator Clinton’s “general policy position is that companies should cede more control to consumers, and that new legislation should be enacted to make it easier for consumers to recover monetary damages from companies that violate their privacy policies.” Jim Harper of libertarian think tank, The Cato Institute, comments: "The reality (of her proposals) is that they would almost turn the information economy inside out -- it's like saying, 'OK, now the water in the stream is going to flow in the other direction,'"

Isn’t that exactly what we need to do?

Monday, June 02, 2008


I am impressed with Clinton’s proposing of privacy legislation, but, unfortunately, none of it has resulted in law. Her most courageous efforts are S. 3713, the Privacy Rights and Oversight for Electronics and Commercial Transactions Act of 2006 (PROTECT), and, S. 810, the SAFE-ID Act, both in the 109th Congress. Much of their failure can probably be blamed on a Republican-controlled Congress when each was introduced. However, when the Democrats took over in January of 2007, they had their chance to shine, but, of course, blew it.

On June 16, 2006, speaking before the American Constitution Society, Hillary laid out her plans for privacy and they are quite impressive. To begin, she says: “At all levels, the privacy protections for ordinary citizens are broken, inadequate and out of date...” Good start. Then comments on how “privacy and national security have gone hand in hand since America’s beginnings.” Followed by how the Framers adopted the Fourth Amendment to provide us this right, she said, “Privacy is not and should not be a liberal value or a conservative value. It is fundamentally an American value. It is a human value.” Sounds like we’re on the way but that was 2006.

That’s when she proposed her privacy Bill of Rights (S. 3713) to be encapsulated in the PROTECT Act, and introduced in Congress on July 21, 2006. Here are the protections proposed that would hold the government and the private sector responsible for the information they gather:

• the right to sue when those rules have been violated

• the right to protect your phone records

• the right to freeze your credit when your identity has been stolen

• the right to know what businesses are doing with your credit and credit

• the right to expect the government to use the best privacy practices itself with your information

Next, her Bill of Rights would prevent private cell phone numbers and their call records from being shared or sold. And the Senator feels strong about notification in the event of a data breach; not in days, weeks, or months, but immediately. Right on.

But her facts are flawed when talking about personal data that is sent overseas. Hillary says, as inadequate as U.S. privacy laws are, they are better than found "in most of the rest of the world.” Not true. Sure, if you’re talking about India or Pakistan, but the privacy standards set by the European Union are far superior to any law passed or proposed in this country. Her SAFE-ID bill (S. 810) would have made sure that consumers were notified when their private information was going to be sent abroad, and offered the opportunity to opt out.

Clinton wants another Privacy Czar like the one during her husband’s administration. Naturally, George Bush decided it wasn’t necessary in an imperialistic government. The Senator would have the privacy czar as a part of the Office of Management and Budget, with oversight into the workings of all government departments with the power to enforce the law. And when selecting this person, I would hope that the next president would allow the community of privacy advocates to have major input.

More Hillary privacy next post.