By Eduard Goodman, Identity Theft 911

An interesting Appellate Court opinion was recently issued that, while limited in scope, requires us to acknowledge the expanding realm of our own identity footprints and the need for evolving views of how we define identity theft. The case, PEOPLE v. ROLANDO S., stemmed from a Juvenile Court case in Kings county California. The case involving teenagers was based on the following facts:

Rolando S., a minor, was one of several recipients of an unsolicited text message containing the password to the victim’s email account. Rolando, who apparently had been in trouble with the law before, used this information to gain access to the victim’s email account. Once he was in, he accessed her Facebook account and profile. Then Rolando proceeded to post vulgar, sexually oriented comments on the walls of a couple of the victim’s male Facebook friends pretending to be her. He even modified the victim’s profile adding additional sexually oriented comments.

(more…)

By Eduard Goodman, Identity Theft 911

The news is bad: Your company suffered a data breach. Don’t make it worse by sending out a confusing, overly technical or outright alarming letter to your customers.

In 46 states, companies that have suffered a data breach are required to send letters to all affected parties whose personal identifying information has been compromised. These letters must comply with state laws, but compliance doesn’t mean the letters have to read like legalese or cause undue panic. The goal is to inform, educate and reassure your customers, not bore or scare them. You want—and need—them to read it, so how do you make the letter as helpful and appealing as possible? Check out these 4 tips:

1. (more…)

By Eduard Goodman

A day doesn’t go by when we don’t read news of a data breach at a major company, healthcare facility or financial institution. The breaches at Epsilon, Sony and now brokerage Morgan Stanley Smith Barney, are a good example.

We asked Eduard Goodman, Identity Theft 911 chief privacy officer and an expert on international privacy and data protection law, what to do when a data breach notification letter lands in your mailbox.

His short answer: Don’t panic. Just pay attention.

(more…)

As part of the CUNA Home & Family Finance radio show, Identity Theft 911′s Chief Privacy Officer Eduard Goodman spoke about online tracking.  The good news?  New legislation may protect you.  Click here to listen.

By Eduard Goodman, Identity Theft 911

We’ve been waiting for a federal data breach notification law for well over five years now. So when I read the White House’s proposed notification bill, I was disappointed to the point of being grumpy.

The intention was for Congress to take federal action to unify the nation’s 50-plus different data breach notification laws and requirements. Past legislative attempts barely got off the ground because they weakened state laws on breach notification. While state laws may not be easy for business, they’re meant to protect consumers.

The proposed bill is nothing more than an outdated, bandwagon approach that creates more red tape for businesses, weakens state law, and overprotects small- to medium-sized companies that suffer data breaches. Bottom line: It offers little, meaningful help to the consumer.

Here are five weaknesses of the bill:

(more…)

By Eduard Goodman, Identity Theft 911

For the past three years, companies have tracked how consumers surf the Internet—what we buy, read and eat—with little to no self-regulation. They’ve collected our personal information, created profiles on us and sold them to advertisers without our consent.

Now, we’re seeing a push for legislation that would protect our privacy online.

In February, Representative Jackie Speier, a Democrat from California, introduced a bill that would give the Federal Trade Commission the authority to establish a Do Not Track system for consumers who don’t want their online activity monitored. The system would offer consumers an opt-out mechanism, similar to the National Do Not Call Registry.

Rep. Speier’s draft legislation does a great job of expanding the definition of private data to cover any information transmitted online that contains or tracks an individual’s online activity; any unique identifiers specific to the individual, such as an IP address; and personal information, including name and email address.

(more…)

By Eduard Goodman, Identity Theft 911

The Federal Trade Commission is taking its role as America’s privacy and data protection authority more seriously than ever.

Fresh on the heels of its new-era privacy manifesto, which lays out its evolving expectations around the intersection of privacy and business, the FTC secured a settlement with three credit report resellers that failed to protect consumers’ personal information. As a result, hackers gained access to more than 1,800 credit reports.

“The FTC will take action against companies that cross the line with consumer data and violate consumers’ privacy . . . I think you’ll see more privacy cases in the coming weeks and months,” said Jon Leibowitz, FTC chairman, when the privacy report was released.

The resellers bought credit reports from the three nationwide credit-reporting bureaus and combined them into reports for sale to mortgage brokers. The FTC said the resellers failed to:

• Develop and disseminate information security policies for their own institutions and their end user clients;

• Assess the risks of allowing end users with unverified or inadequate security to access consumer reports through their portals;

• Evaluate the security of end users’ computer networks, require appropriate information security measures, and   train end user clients;

• Implement reasonable steps to maintain an effective system for monitoring end users’ access to consumer reports, including monitoring to detect anomalies and other suspicious activity; and

• Take appropriate action to correct existing vulnerabilities or threats to personal information in light of known risks.

These failures resulted in the exposure of consumer information to a number of groups and individuals without the authority to access it, including hackers.

What’s interesting about these complaints was their uniformity. In fact they were nearly identical. From my perspective this shows a systemic problem within the industry, one that is general enough for a “form complaint” approach by the FTC.

What I find most interesting, though, is the fact that there isn’t much that’s interesting here. The nature of the complaints and issues in the cases don’t stand out; these are not “groundbreaking privacy enforcement cases.” They are common privacy related complaints around improperly protecting access to consumer data.

Interestingly too, the punishment is also becoming the norm: 20 years of biannual third-party audits that check for proper processes and procedures to correct and improve the protection of sensitive data. This “life sentence” (as I refer to it) for privacy violations begins to drive home the seriousness of these issues in the eyes of the FTC.

If anything, the vanilla nature of these complaints clearly lays out that companies still aren’t doing enough to protect access to consumer information, and that there is no shortage of this type of lax behavior in any industry. The FTC will just keep chipping away at consumer-oriented privacy abuses, one case—or maybe three cases—at a time.

Eduard Goodman, Chief Privacy Officer, Identity Theft 911

An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.

Every organization faces the threat of cyber risks. These risks come in many forms, including market risks, financial risks, reputation risks, legal risks and more. It is important for risk managers to be aware of these threats and the potential consequences they face if a breach does occur. This series gives a basic overview of some of the threats and legislation in which organizations should be aware.

Cyber Risk Legislative Trends by Eduard Goodman

Cyber Risk Threats to your Organization by Ondrej Krehel

By Eduard Goodman

Fly-by-night and unscrupulous identity theft service providers are to be expected in an industry with a lot of growth potential and countless victims. But they’ve always bothered me.

That’s why I was more than happy to participate in the working group that drafted the Consumer Federation of America’s Best Practices for Identity Theft Services. Setting basic standards is a win for the industry and a win for the consumer.

The Best Practices asks companies to clearly explain to consumers why their personal information is needed and how it will be used. It also recommends that they have readily available and transparent privacy policies. The section on privacy is reasonable and easy to understand. It does a good job of laying out basic expectations for providers.

Surprisingly, a number of companies have found that agreeing to follow these guidelines is problematic—mainly because of the privacy requirements. These businesses don’t value transparency of their practices for handling consumers’ personal information.

Now, I realize that the CFA document is not meant for nonprofits or government agencies. It’s intended for private companies who make money by helping people protect against, monitor and recover from identity fraud crimes.

This only drives home what a compelling business argument being pro-privacy makes in our industry. Not agreeing to the Best Practices because you can’t follow the privacy obligations is tantamount to a wind power or solar panel company saying it doesn’t believe in recycling. It’s counter to what the industry is all about. If you can’t be bothered to get your privacy house in order, good riddance.

FTC Chairman Jon Leibowitz said it best in his remarks for the Preliminary FTC Staff Privacy Report issued last December: “Some in industry support what we’re doing, but we know that others will claim we’re going too far. To those highly paid professional naysayers, I have only one question: What are you for? Because it can’t be the status quo on privacy.”

Eduard Goodman, Chief Privacy Officer, Identity Theft 911

An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.

by Eduard Goodman

We’re Addicted, Net Execs Like it That Way

It’s tiresome when billion-dollar Internet CEOs tell us that our privacy concerns are overblown. Whether they run Google, Facebook or an online marketing company, the truth is that they obviously have a financial interest in trading my personal and search information, online contacts and purchases. They’re a business out to make money. Their business is information. I’m not judging; just own up to it. Don’t dismiss our privacy fears because frankly it’s insulting.

In fact the more I hear the mantra, “Don’t worry about your privacy,” from executives in industries that know more about us than our own relatives, the more they sound like tobacco executives in the 1990s. “Your privacy fears are overblown,” is about as convincing as the statement, “Nicotine is not addictive,” especially given the source.

Like tobacco executives of the last century, Internet executives think that we don’t recognize that they have their own agendas and own financial interests at heart. They want us all to believe that there are no downsides to sharing our information or to their collection of it. Just like there are no downsides to smoking, right? They are quick to point out all of the “upsides” and reasons to share information though. Strangely, many also were reasons people smoked at one time, too.

Some of them include:

• Everyone else is doing it, so it must be okay.

• It’s cool. (“What do you mean you aren’t on Facebook?”)

• You’re addicted (because where else are you going to go for an online search?  The expression to “Google” something is even in the dictionary.)

Now today, nobody doubts that nicotine is in fact addictive and that smoking causes cancer. We have the research and millions of examples of people who have suffered from smoking-related illnesses to prove it. Yet, worldwide over 1.3 billion people still choose to smoke, knowing the risks and dangers. That is their choice and tobacco is still a multibillion-dollar industry both in the U.S. and abroad.

Like their tobacco industry executive predecessors, people including Facebook CEO Mark Zuckerberg and Google CEO Eric Schmidt raise the point that Internet users have a choice, too. If they don’t like the privacy ramifications of using Google or Facebook, then they don’t have to use them. The problem is that we as a nation have become addicted to Facebook and Google. Like the throngs of chain smokers of the 1950s, we as a nation are failing to recognize the dangers associated with our behavior. With industry executives preserving our collective ignorance towards our vanishing privacy, in the end, like a misinformed, addicted smoker, how much choice do we really have?

Eduard Goodman, Chief Privacy Officer, Identity Theft 911

An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.

Image: TheG-Force