Archive for August 2014
Although not legally required to do so, businesses that experience a data breach often provide free credit monitoring or identity theft prevention services to affected consumers. Offering these services can assist potentially affected consumers, help to rebuild a businesss relationship with its customers, and may mitigate potential damage to consumers caused by misuse of their personal information. But at the end of the day, it is generally the businesss decision whether to incur the costs of these services on top of other breach-related costs. That discretion may be about to disappear. Recent high- profile data breaches have prompted legislators at both the state and federal levels to introduce legislation that would impose a variety of new requirements in the event of a breach. Although these new laws differ in many respects, one emerging trend is the codification of a requirement that businesses offer free credit monitoring or identity theft prevention services to affected consumers.
At the federal level, such a requirement is one of the key features of the Data Security and Breach Notification Act of 2014, S. 1976, introduced in the Senateon January 30, 2014. This bill would, among other things, require businesses that suffer a data breach to provide affected consumers in many circumstances with a free credit report upon request, and to continue to provide free credit reports on a quarterly basis for two years thereafter. The Senate has yet to take any action concerning this bill.
In addition, several states have introduced legislation echoing the Senate bill. For example, on February 10, 2014, bill NJ A2480 was introduced in the New Jersey Assembly. Similar to the Senate bill, NJ A2480 would impose on any business required to provide notice of a data breach incident an obligation to pay for affectedcustomers to receive a monthly credit report for at least a year. Customers would have a six-month window following notification of the breach in which to request these free credit reports. NJ A2480 is currently under consideration by the New Jersey Assembly Consumer Affairs Committee.
Shortly after the New Jersey bill was introduced, similar legislation was introduced in both Rhode Island and Minnesota to modify those states respective breach notification laws. Unlike the Senate and New Jersey bills, however, both the Rhode Island bill (2014 H7519) and the Minnesota bill (HF 2253) would require businesses to provide credit monitoring services, rather than simply provide free credit reports. More specifically, both bills would mandate that businesses required to provide notice of a data breach also provide one year of free credit monitoring to individuals whose personal information was taken, or reasonably believed to have been taken,as part of the breach. HF 2253 was referred to the Minnesota House of Representatives Commerce and Consumer Protection Finance and Policy Committee on February 25, 2014. On March 4, 2014, the Rhode Island House Judiciary Committee recommended that 2014 H7519 be held for further study.
In California, legislators have taken a slightly different approach. There, new data breach legislation was introduced on March 28, 2014, in the form of amendedAB 1710. Rather than require credit reports or credit monitoring, AB 1710 would require businesses that suffer a data breach to offer appropriate identity theft prevention and mitigation services. These serviceswhich are not defined in the bill would have to be offered at no cost to affected consumers for at least two years if the data breach exposed the consumers name in combination with a social security number, adrivers license number, or California identification card number. The California Assembly passed AB 1710 on May 27, 2014, and the bill is currently being considered by the California Senate. Shortly after taking up the bill,the Senate amended it to reduce the length of time that identity theft prevention and mitigation services must be provided to one year.
Florida legislators have added a further twist in the form of the newly enacted Florida InformationProtection Act of 2014. That law, which took effect on July 1, 2014, does not require businesses that suffer a data breach to offer free credit monitoring or identity theft prevention services. Rather, it requires businesses to notify Floridas attorney general as to whether free credit monitoring, identity theft, or any other services related to the breach are, or will be, offered to affected consumers. Although businesses do retain discretion as to whether to offer free services in the wake of a breach, having to discuss the matter with the attorney general does create an incentive to provide them.
It remains to be seen how many of the aforementioned bills will be passed into law or whether other states will try to introduce similar requirements. One thing is clear legislators are no longer willing to leave it up to businesses to decide whether to offer free credit monitoring or identity theft prevention services to consumers affected by a data breach. Going forward, the costs of providing such services may become an unavoidable cost in every data breach incident.
Experian Credit Data Breach
Updated: Monday, July 28 2014, 06:36 AM CDT
Target hack victims were directed to Experian for protection, but if you think credit bureaus are safe from data breaches, think again.
During that recent data breach with Target, the company lost data on 110 million customers. It sent them to Experian for identity theft protection. But it turns out Experian, one of the big three credit bureaus, had its own data leak.
One of Experians subsidiaries accidentally sold the personal data of millions of Americans to a fraudster in Vietnam. Then that guy sold the information to identity thieves around the world.
The leak was plugged before Target sent victims to Experian. But it shows that even companies we expect to protect us from data theft have problems keeping our information safe.
In Experians case, the Vietnamese fraudster tricked the company by posing as a private investigator in Singapore. This happened more than a year ago, but Experian has stayed quiet about the details. A spokesperson called it an unfortunate and isolated issue.
Target and Experian both say the credit monitoring service is unrelated to the incident involving Experians data selling business.Experian Credit Data Breach
CLINTON(AP) – State Treasurer David H. Lillard Jr. has presented the Anderson County school system with a $2,000 check for getting parents to complete an online tutorial about the importance of saving for college.
School officials received the money in exchange for getting parents of children who attend their schools to participate in the tutorial.
The tutorial provides information about the TNStars 529 College Savings Program.
People who open accounts with TNStars can choose from different investment options ranging from conservative to aggressive. Taxes are not paid on investment earnings as long as that money is used for qualified higher education expenses.
The promotion with Anderson County schools was part of a pilot project that the state Treasury Department plans to offer at other school systems across the state.
Copyright 2014 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
After several measures to cap short-term loans in Louisiana and limiting the amount of payday loan facilities in the state failed during the legislative session, opponents are asking for regulation at the federal level. Pictured are community members sharing their payday loan experiences at Elm Grove Baptist Church in Baton Rouge in November 2013.
(Photo by Renita D. Young, NOLA.com | The Times Picayune)
This will likely disrupt the free credit report industry. Websites which currently offer free credit reports usually do so by making the customer give their credit card, and sign up for a credit monitoring service. Unless the consumer cancels the service before the free grace period ends, they begin getting charged for the credit monitoring. Consumers now have a choice of accessing their credit report for free without having to sign up for a service or give their credit card as part of the deal.
In in addition to disrupting the no-cost credit report industry, it also helps the company differentiate itself from rival free credit score websites such as Credit Sesame and Quizzle. It also helps to differentiate itself from credit card companies which have begun to offer free credit scores to their users. While company spokesperson Bethy Hardeman says that this new service was created to give customers valuable resources which can help educate them about their credit, it certainly doesnt hurt that it also makes the company stand out from the competition.
While consumers have been able to access their credit reports for free through the government mandated website AnnualCreditReport, they are only able to do so once a year. Credit Karma will allow their users to access their credit report as often as once a week, which can be a great advantage when trying to remove incorrect entries from the report. It also helps to keep tabs on how those removals are progressing. With as many of 25% of all credit reports containing incorrect information which can negatively affect the persons credit score, making sure your credit report is correct is important.
The one catch is the credit report is limited to the TransUnion credit reporting agency, and it doesnt include the credit reports from Experian or Equifax. This could be important because each agency collects different material, so just because your TransUnion report is free from errors, it doesnt mean the reports for the other two agencies are error free as well. When your TransUnion report is pulled through Credit Karma, its considered a soft-pull which isnt shown to creditors and wont lower your credit score.
For those who are concerned about both their credit score and credit report, and not just one or the other, Credit Karma has created the opportunity to get and keep tabs on both in one place.
Yesterday, The New York Times reported that a Russian cyber gang managed to obtain over 1 billion unique passwords from various sites across the web. The security research firm Hold Security discovered the hack and NYT verified the authenticity of the stolen credentials using an independent party.
Still, details about the hack are few and far between. How many of these compromised passwords are from previous hacks from high profile attacks within the last year? How many usernames and passwords from Target, eBay and Goodwill were sold on the black market?
Hold Security also claims that victims of the hack range from Fortune 500 companies as well as smaller websites. No companies have stepped forward to acknowledge the hack since Hold Security broke the news yesterday.
But even more puzzling is Hold Securitys reaction to the attack. The company is offering full electronic identity monitoring for individuals. The service will be free for 60 days and will cost $120 per month afterward. Customers will need to complete a registration process, which includes handing over your email and encrypted versions of your passwords to compare it to the ones in our database, which is written in Hold Securitys terms of service. You cant even check to see if your usernames and passwords were part of the attack unless you sign up for this service.
This is a huge conflict of interest for Hold Security. It is the one profiting from your fear. Most security research firms offer services for free to people who have been hacked. Traditionally, companies who have been hacked provide credit monitoring services free of charge. Sony provided a subscription to AllClear ID after its 2011 hack. Target also provided free credit monitoring to all its affected customers.
Im not the only one skeptical of Hold Securitys approach. Heres what Joe Siegrist, CEO of LastPass, had to say about it:
I’m very suspicious of Hold Securities’ [sic] approach. They are offering full electronic identity monitoring service to individuals for the price of $120. Most security companies who find something like this hack offer to help people for free. Hold Securities is also asking for your email before they will send their terms of service, which is not something I am willing to do, and I would not recommend anyone else do either.
Alex Holden, founder and chief information security office of Hold Security, explained why the company is charging for its identity monitoring service. Speaking to The Wall Street Journal, Holden said his company is charging a fee to recoup the costs of verifying website ownership. Believe it or not, it is a hard and often thankless task, said Holden.
The Verge dug into the story as well, noting that the method used in obtaining the passwords is commonly used and protected against. SQL injection is a powerful technique, but its also a common one…Its always possible that a Fortune 500 company left themselves exposed but it seems like a longshot, writes Russell Brandom.
The takeaway from this is that sensationalism sells. As part of the media I bear some responsibility but here at Softonic, we strive to be accurate and avoid sensationalism. Online security is a real threat to us, but we should temper the fear with facts. Now with security firms like Hold Security profiting off our fear, we have to be skeptical of corporate interests as well.
I reached out to Hold Security, who did not immediately respond by the writing of this story.
Header image credit: 401(K) 2012
Bitdefender reveals the 10 most successful Facebook scams of 2014
Over 1 billion passwords stolen by Russian hackers
Canvas fingerprinting web tracking tool isnt the end of privacy
Software Clinic: “How do I permanently delete a file?
BitTorrent Bleep secure chat client stops snooping
Follow Lewis on Twitter: @lewisleong
Three years after its last try fizzled, Daly City is renewing the fight to regulate where payday lending business can locate in the city as a way of preventing an overconcentration of them particularly in lower income areas.
The city can’t legally regulate the loans themselves such as capping the annual percentage rate but is allowed to limit them to certain zoning areas and require a certain amount of distance between each business to keep a glut from popping up in one spot.
On Monday night, the City Council will consider both based on an unanimous Planning Commission recommendation to amend the zoning code. If passed, a definition of “payday loan business” will be added to the code rather than filed under the umbrella of “bank” and they will be allowed to operate without a use permit in four zoning areas: office commercial, BART office commercial, light commercial and Sullivan Corridor Specific Plan District. The proposal also calls for a 1,000-foot minimum distance between new payday loan businesses and other payday lenders.
The last caveat is meant to prevent future concentration and keep space available for more traditional financial institutions like credit unions or banks, according to a staff report to the council.
Currently, the city says there are five licensed check cashing businesses in Daly City — some whose 1,000-foot boundary overlap each other — which are concentrated along the Mission Street corridor. City staff say, based on 2010 census data, these businesses are located mainly among Daly City’s lowest income neighborhoods on the east side.
Opponents of the short-term loans often say the convenience for those who may not have access to more traditional lending options is outweighed by fees equivalent to an annual interest rate of 460 percent that can perpetuate a cycle of debt.
The idea of regulating payday lending in Daly City was first raised in 2011 but the plan never came to fruition. Mayor David Canepa, who championed the idea three years ago, said there was not sufficient “appetite” back then but a subcommittee he appointed this year agrees this is good policy.
“[S]sometimes it’s not the policy, but rather just the timing,” Canepa said in an email to the Daily Journal.
The previous effort, though, targeted not just the locations but the actual loan products. Canepa had proposed allowing short-term loans up to $500 with a maximum APR of 18 percent for residents and give users the ability to build credit by paying off loans over a period of up to a year. Canepa also wanted a cap of three loans per person per year and a financial education requirement for borrowers.
State law and court challenges preempts the city from targeting the actual loans which is why this second attempt is focused on the providers.
In June, the Planning Commission voted 5-0 in favor of the zoning changes but did raise some questions about regulation. The business license division will collect new lenders’ information but there isn’t a way to stop existing businesses from adding payday loan services.
The commissioners also recommend the city proactively educate residents about the “pitfalls” of payday loans through fliers, brochures and other advocacy.
Canepa agrees and wants to partner with county nonprofits on outreach.
“As policymakers we should inform the public of the exorbitant interest rates which stem from payday loans,” he said.
If the Daly City Council moves ahead, it joins Redwood City in regulating where the industry can set up shop. That city bans check cashing businesses downtown and some zoning districts and requires a use permit in others. Pacifica enacted a two-year moratorium on them which it has voted to extend. The city of San Mateo has recently begun exploring the possibility of regulations, too.
The Daly City Council meets 7 pm Monday, July 14 at City Hall, 333 90th St., Daly City.
(650) 344-5200 ext. 102
James McPartland, who owns House and Garden Outlet in Fort Myers, partnered up with Braden in October 2013. He allegedly took all the furniture and items she had, which were stolen from all the victims, and arranged for a moving truck to move it all into two storage facilities. Both storage units were in his name.
McPartland then ran all the sales from his consignment shop through his processing system and allegedly paid Braden for a portion of the sales after deducting the cost of the movers and the storage facility.
A civil lawsuit ensued, resulting in a $1.3 million dollar judgment against Braden. Several search warrants were served on two storage facilities and her penthouse suite in Gulf Harbour. Jewelry, silver and other items belonging to the victim were recovered.
Over the course of the investigation, other victims came forward and advised they had experienced the same situation. Most of them had property worth about $40,000, and all of them were able to identify some of their missing items, in one or both of the warehouses, that were discovered.
Braden filed personal bankruptcy in an effort to avoid the judgment and then contacted McPartland to partner up and hide the assets, the release said.
Braden, 63, and McPartland, 66, have been charged with scheme to defraud aggregate value over $50,000 and grand theft over $100,000.
AMARILLO — The city council is looking to make some changes on how payday lending and title loans work.
Theyre hosting a workshop about some possible ordinances.
Its happening in the Civic Center Heritage Ballroom.
Its designed to help council members work with the community in an effort to consider a model ordinance that will support fair, equitable interest and fee charges for those loans.
Randy Orbach, shown at home in Newport Heights earlier this year, swore prison reformed him.
So much for Randy Orbachs redemption song (allegedly). The parolee and subject of a Weekly cover story in March has been arrested on suspicion of making illegal contact with the ex-girlfriend whose complaints of being harassed sent Orbach to prison in March 2010.
Former Millionaire Randy Orbach Says His Nonprofit Will Help Fellow Convicts Find a Job After Prison
During a four-month period after the couple originally broke up, Orbach hit the woman with a pipe, punched her in the face, slashed the tires on her car, threw a firecracker on her roof that led to a small fire and sent her countless e-mails and messages, prosecutors told jurors. He was convicted in 2008 on 57 counts of violating a restraining order and one count each of arson, battery, stalking and disobeying a court order.
In March 2009, Orbach was given a suspended five-year prison sentence that allowed the then-millionaire son of a former George W. Bush cabinet member to spend nights at the private Seal Beach jail for a year while working days at the financial advising firm he founded in Laguna Niguel.