Retailers ask Congress for data breach notification law

From Retailers ask Congress for data breach notification law,

PDF: Retailers ask for data breach law

Hardly a week goes by without some major data breach hitting the news. By now, we’ve become accustomed to hearing about these incursions in which hackers gain access to sensitive consumer records. And each time, the number of affected consumers gets bigger and bigger, and often we learn about the event weeks or even months after the damage has been done.

In the case of the Equifax breach last summer, it took several weeks for the news to break that hackers had been raiding the credit-reporting giant’s files, compromising the data of nearly 150 million consumers. Since that breach, business groups and consumer watchdogs have been turning up the heat on Congress to do something about the time it takes to notify those affected by breaches.

The financial and retail industries have long sparred over proposed laws regulating when and how a company should notify the government and the public about when a data breach has occurred. At the heart of the matter is a growing need — recognized by both industry groups and both parties in Congress — that better federal laws are needed to replace a varied patchwork of different state laws governing breaches across the nation.

On Valentine’s Day, 11 major retail groups petitioned Congress to pass uniform national legislation that “leaves no holes” and makes all types of businesses responsible for notifying consumers in a timely manner.

In a letter sent to the Financial Services Committee, the National Retail Federation and other trade associations representing “convenience stores, restaurants, truck stops, gasoline stations, grocers, real estate agents, franchises, hotels and the travel industry” said they support a uniform federal law governing what business must do when credit card or other data is breached, but said it should apply to all businesses that handle sensitive consumer data. The NRF announced the action in a news release.

NRF was part of a group comprising the retail sector that was protesting a repeat of failed legislation in 2015 that would have made notification “mandatory for retailers but voluntary for financial institutions.” The group argued that the financial sector, including banks, credit-card companies and others comprised nearly a quarter of all data breaches, while the retail sector accounted for less than 5 percent.

“Every industry sector — whether consumer-facing or business-to-business — suffers data security breaches that may put consumer data at risk,” the letter said. “To protect consumers comprehensively wherever breaches occur, Congress should ensure that any federal breach notification law applies to all affected industry sectors and leave no holes.”

In early January, a broad coalition representing the financial services industry urged Congress to pass “flexible, scalable standards” for data protection that is “tailored to the size and complexity of the organization as well as the sensitivity of the data the organization holds.”

While large-scale breaches happen to retailers, financial-services companies find themselves increasingly targeted by thieves who are often funded and equipped by organized crime. An October report by Thales Security noted that 42 percent of financial institutions had experienced at least one breach in the past, with many reporting multiple events. For its part, the financial industry has been aggressively working to target fraud attempts. In January, the American Bankers Association announced that banks had stopped $17 billion worth of fraud attempts during 2016.

The sheer size and scale of the Equifax breach is likely to lead to changes in when and how companies of all types must notify the public when a breach occurs, and the pressure is now on Congress to act. But ultimately, what’s at stake is the sensitive information from millions of customers. The protection of that information should be the highest priority for all concerned.


Credit protection: Freeze, lock or fraud alerts

via Credit protection: Freeze, lock or fraud alerts,

PDF: Freeze lock or fraud alert

When Equifax announced a massive data breach last summer, many Americans were rightly concerned about their credit. Thieves had broken into the credit-reporting giant’s database and had access to at least 143 million records for several weeks over the summer, making off with vital information that could potentially be sold on the black market and used to commit identity theft. Initial reports indicated about 1.29 million Mississippians may be potential victims.

The breach was a disaster of unparalleled scale for Equifax and the credit-reporting industry. It eventually cost Equifax its CEO, and the company even now is having to explain itself to Congress and the nation. The inevitable flurry of lawsuits has followed, including a rare 50-state, class action lawsuit.

In the wake of the disaster, most financial experts advised us to be aggressive in how we protect ourselves and our information. The most common advice was to place a “credit freeze” on your account at all three major credit bureaus, to prevent thieves from opening new credit accounts. Other options included credit locks, or fraud alerts. But many people remain confused about the differences among the options, so I’ve found some sources of information to help explain the differences.

Credit freezes and credit locks are similar in many ways. Both keep your credit file off-limits to creditors trying to open new accounts. Both can be easily removed, although there are differences in how that occurs. The key differences, according to most sources I checked, are that unfreezing (“thawing”) your credit file may take a bit longer, locks may cost more, and you may be giving up some of your rights to join class action lawsuits if you put a lock in place.

A freeze is generally considered to be a stronger measure, to be taken in cases where you know your credit has been compromised. A lock might be used if you’re just concerned about the possibility of identity theft in general. A third option, a fraud alert, lets you know when new credit accounts are opened, so you can act immediately.

Both freezes and locks may cost you. Although there has been tremendous pressure from regulatory agencies and lawmakers to force credit bureaus to freeze your credit for free, only Equifax has so far done so (and only through Jan. 31). The financial website Nerdwallet’s Amrita Jayakumar notes that, at TransUnion and Experian, you will still be expected to pay about $10. For a lock, Equifax currently charges a $4.95 monthly fee to maintain the lock, but a free “lifetime” lock is expected in January. TransUnion provides locks for free, while Experian charges a $4.99 for the first month, and $24.99 monthly thereafter.

 When it comes to removing the protection, the advantage may go to credit locks. Both locks and freezes may be removed fairly easily, but removing a freeze can take 24 to 48 hours to take effect. By contrast, a lock (with TransUnion or Experian, not Equifax) can be removed instantly by simply swiping an app on your smartphone. This is important, for example, for people who want to apply for credit at the store cash register to take advantage of discounts.

Consumer Reports, in a September comparison between locks and freezes, said freezes were in general a better option than locks because freezes are guaranteed by law, as locks are an agreement between you and the credit bureau. In addition, the report noted, freezes are in general cheaper (perhaps free).

Regardless of which you choose, a fraud alert is a good thing to add on. It is free, lasts 90 days (you’ll need to extend it), and requires creditors to verify your identity. You only have to call one of the three credit bureaus, and they’re required to notify the other two.

For more helpful information about the three options, including a comparison chart, visit

Time to change those passwords


via Data breaches becoming all too common,


A decade or so ago, the term “data breach” was unfamiliar to most of us. That’s changed dramatically in the past couple of years. We have gotten used to hearing about bigger-and-bigger thefts of consumer information, each more audacious and troubling than the last. And because there are so many incidents reported every day, it takes something really, really big to get the attention of the media.

Last week, we passed a milestone in this regard as Yahoo, one of the biggest players in the e-commerce world, announced that more than a billion of its e-mail accounts had been compromised more than three years ago. That announcement was on the heels of a September revelation that data thieves had made off with information from 500 million accounts in late 2014 in a different data breach.

Consumers with Yahoo addresses have been warned that passwords were likely compromised in the attacks (but no direct financial information). Still, the amount of information that was lost could be used for identity theft and other nefarious purposes. Many experts have concluded that consumers are increasingly vulnerable. PC World Magazine issued this stark advice for consumers: “If you’re a Yahoo user,” wrote blogger Lucian Constantin, “you should consider your password compromised and should take all the necessary steps to secure your account.”

As the announcement was being made, Mississippi Attorney General Jim Hood sent out a news release, warning Mississippians to remain vigilant. “Our personal information is becoming increasingly vulnerable to hackers, so we must stay vigilant about our online habits,” Hood said. “We can no longer have the expectation that sensitive data will be secure on the internet, so it’s up to us as consumers to be cautious, stay informed and take action to protect ourselves when incidents like this occur.”

In past columns, I’ve written about various topics surrounding internet security. In most cases, a secure password remains key in helping thwart identity theft. We may not like to go through the hassle of changing our passwords frequently, but it’s crucial. And since the approaching new year is a good time to think about changes, it’s also a good time to adopt this habit. Unless and until we have some better ways to ensure our security, we’re going to have to live with passwords.

Hood noted that Yahoo users should use extra caution. Here are a few of his suggestions:

  • Consider “two-factor” authentication when using email or financial services online. This simply means that getting into your account requires at least two steps, such as a password and security code via a linked phone or other device.
  • Avoid unsolicited emails that seek even more personal information or financial data. “Following a large-scale data breach, scammers may attempt to steal a consumer’s identity or access bank accounts by sending out fake notices,” Hood warned.
  • Monitor financial accounts for any unusual charges or activity. Report unauthorized charges immediately.

Here are some other of Constantin’s suggestions from his great article in PC World:

  • Don’t save emails you don’t need. Thieves could easily comb through archived emails and get clues to help steal your identity. While most of us don’t regularly clean out our email accounts since storage space is not an issue, it’s a good idea to go through past emails and delete them (and empty the “deleted items” folder).
  • Check your forwarding settings. Once hackers get access to your email, they can go in and create rules that automatically forward certain emails. It may take a few minutes to locate the controls for these features, but turning off auto-forwarding can keep this from happening.
  • Never reuse passwords. I know, I know … it’s hard to remember all those passwords, and having to enter a new password is a pain. But having unique and hard-to-crack passwords is necessary. Good passwords should be long, contain a mixture of letters, numbers, cases and symbols, and difficult to guess. One good habit is to intersperse symbols with similar letters. For example, instead of making your password “Mustang1”, instead you might want to use “Mu$tAnG1”. And unless you have an eidetic memory, you’ll probably need to use an app (or some other secure method) to remember them all.

Time Warner alerts customers to data breach


via Moak: Time Warner alerts customers to data breach,, 1/7/2016

Time Warner Cable is warning its customers to change their online passwords after data thieves broke into the company’s computers and stole account information for an estimated 320,000 customers. Reuters announced Thursday that the FBI first discovered the breach, then alerted the company.

If you have an account with Time Warner, it’s important to access your account as soon as possible to change your password. The details of the breach aren’t immediately clear, even to Time Warner, but it appears that the breach happened through one of the company’s partners. Time Warner also noted users with “Roadrunner” accounts, or those that have in their email address, are at particular risk.

User names and passwords were said to be among the data stolen, making it important for consumers to take steps now.

“Our understanding is that the compromise had nothing to do with TWC’s systems or processes,” said Nathalie Burgos, Time Warner Cable Group PR Manager. “We haven’t yet determined how the information was obtained, but there are no indications that our systems were breached.”

Not a day goes by without a large company being targeted by data thieves. Breaches are becoming so commonplace they often don’t make the front page anymore unless they set some record, or have a local connection. Still, the constant theft of information is good reason to change all your passwords right now. Managing all those passwords can be a pain, but can protect you.

Here are a few tips:

  1. Avoid passwords that are easily-guessed. Passwords such as “password”, “password123”, or similar choices are too easy for thieves to crack. Stay away from things like birthdays, pet names or maiden names. Instead, use a combination of upper and lower-case characters, symbols like #, $ or % (if allowed), and mix them up. For example, a password like Mi$sissipp1 is considered a lot stronger than just the word mississippi.
  2. Keep your passwords in a secure place, and change them frequently. If you use an app like Keeper, be sure to use a strong password on the app itself, and be sure to take advantage of your phone or tablet’s passcode feature. If you keep passwords in a notebook, never let it out of your sight.
  3. Deactivate any accounts you don’t use regularly. You may be at risk from an account you started, then abandoned, years ago. Although most reputable websites will require that you update your passwords on a regular basis, there is no requirement for them to do so.
  4. Don’t allow a computer to remember your password unless it’s secure. Avoid letting any computer “autofill” your password unless you are certain security safeguards are in place. And it’s also a good idea to avoid any “open” Wi-Fi hotspots that don’t require a passcode.
  5. Adopt a password-change schedule. On a frequent basis (preferably at least once a month), change everything.

OPM data breach: A.G.says he’s a victim, too

From Moak: Data breach hits home for AG,, 12/18/2015

A recent data breach which could affect millions of Americans has hit close to home for Mississippi Attorney General Jim Hood, who announced in a news release that he’s a victim, too.

Hood didn’t give specifics, but he noted that becoming a part of this story has caused him to decide to check his credit regularly, and encouraged others to do the same.

“Data breaches and identity theft continue to cause significant harm to consumers, and full-scale identity theft involving the use of just a Social Security number can cost a consumer $5,100 on average,” said Attorney General Hood. “I am a victim of this hack, too, and I intend to check my credit regularly for at least a decade.”

Hood made the remark in a release discussing the massive hack of the federal Office of Personnel Management (OPM), in which hackers compromised a massive database containing personnel records of more than 4.2 million current or former federal employees, and background check data for nearly five times that many. Some (including members of Congress) have pointed the finger at the Chinese government or others working on its behalf.

In June, OPM announced that hackers had broken into a supposedly-secure database containing information on more than 21.5 million people who had undergone government background checks. The fallout from the breach, which allegedly started in early 2014, eventually cost OPM Director Katherine Archuleta her job and was a huge black eye to an agency responsible for running much of the civil service portion of the U.S. Government. As the scandal unfolded, investigations revealed an ever-increasing number of potential victims.

Included in the hack were fingerprints, financial records and personal information of 5.6 million individuals. If you had a background check conducted on you by the federal government (such as to become a military contractor), you might have been included. OPM should have by now notified those whose data were compromised.

“As a result of the data breach, the OPM is providing identity theft protection and monitoring services to those who were affected and any of their dependent children who were under the age of 18 as of July 1, 2015,” Hood noted in Thursday’s news release. “Services include credit and identity monitoring, identity theft insurance, and identity theft restoration for the next three years through ID Experts, a company that specializes in identity theft protection. The services are to last through 2016 in the personnel files case and through 2018 in the clearance files case.”

Hood urged consumers to verify their status with OPM before responding the offer of free credit monitoring. “The OPM and ID Experts will not contact consumers to confirm any personal information and advises consumers not to provide their personal information in relation to this incident,” he said. “The OPM is only contacting consumers by mail; so if an email from the OPM is received instead, then it is likely fraudulent.”

“We appreciate the OPM for taking action and providing the sufficient tools and services to help consumers who have fallen victim to this scam,” he added. “Since 2005, nearly 5,000 data breaches have compromised more than 815 million records containing sensitive information about consumers, including their financial account information, Social Security numbers or medical information. The numbers continue to escalate in 2015. Consumers are entitled to check their credit annually at no cost, and regular monitoring is one of the most important ways to protect your credit.”

If you believe you might be affected, but haven’t heard from OPM, you can call 800-750-3004 or 866-408-4555 or visit Consumers can contact the Consumer Protection Division of the Attorney General’s Office at 800-281-4418 if they have a problem with the current number provided by the OPM.

Rising data breach activity is a challenge to retailers and customers alike

Originally published by the Clarion-Ledger on 2/1/14 and in the print edition on 2/7/2014.

PDF: CL Data breaches 02072014

It seems we can hardly get through a news cycle these days without hearing that now-familiar refrain: (No, I’m not talking about disgusting cruise ship infections; that’s another post.) Another company has announced huge “data breaches”, in which consumer information has been stolen, or at least subject to possible theft.

In recent months, there have been some data breach events of seismic proportions, and probably many more we haven’t heard about:

In November, Target customers’ data were stolen; initial reports showed around 40 million Target shoppers were potential victims; later reports said the damage was actually much worse.

This week, Michael’s arts and crafts stores announced the Secret Service is investigating a possible compromise of customer data.
Earlier in January, high-end retailer Neiman-Marcus announced a major data theft, resulting in undisclosed damages.

So what’s going on here?

Expert opinions vary on the specifics, but nearly everyone is alarmed at the recent rise in attacks; not for their number, but for their sophistication. The ubiquitous use of credit and debit cards (and the resulting decline of cash) is making data theft potentially more lucrative. And there appears to be an arms race between thieves and their targets, who install ever-more-sophisticated security, only to find themselves challenged by well-funded criminal organizations with money and resources. They learn as they go along.

What, if anything, can we do about it? Well, most experts agree that the solution lies in a mix of strategies.

In an instructive article in PCWorld, writer Tony Bradley notes that retailers must step up to the plate with sophisticated “end-to-end” encryption of consumer data at the point of sale. More sophisticated technology at the customer end, Bradley writes, would help, including things like smartchips on cards and better identity-verification technology.

But, as when dealing with any potential thief, it’s important to remember that if a determined and well-funded thief really wants what you have, he’s probably going to get it. The trick is to make you a less-juicy target. Just as installing a steering wheel lock isn’t a 100 percent guarantee against someone stealing your car, it can make your car less attractive because of the extra time and effort required.

Here are few things you can do right now.

Protect your PIN code, and change it often. Never store your PIN with your card.

Check your bank and credit card statements constantly. If you see suspicious charges, contest them immediately.
Don’t respond to any email that looks like it comes from your financial institution; if you’re concerned, call them and ask whether the message is legitimate.
Consider monitoring your credit. In the case of data breaches, many companies offer this service free to anyone who might have been victimized.

Finally, remember that with the convenience of carrying that piece of plastic, comes ever-increasing risks. You could choose to live “off the grid” and pay for everything in cash, but most of us aren’t ready to make that transition. I suspect that until we are truly safe from these criminals, the best thing we can do is to be vigilant.

Snapchat breach: what if hackers used their power for good?

A few weeks ago, some of my coworkers were talking about using an app called Snapchat to text messages and photos to each other. Snapchat differs from other texting platforms in that if you send pictures via text, they disappear after a few seconds of viewing, never to be seen again. This makes the app attractive because the pictures aren’t hanging around in cyberspace after they’ve served their purpose. That means they aren’t there later for gumshoe detectives and divorce lawyers to get at them for later incriminating usage.

Intrigued, I signed up. It seemed like a minimal risk; after all, I already use texting quite a bit. I am often an early adopter of new geeky tech stuff, but as with many such apps, I was fascinated for a while until my ADD kicked in and I got bored with it. I actually haven’t used it in a while. So imagine my (non) surprise when this morning, it was all over the news: a hacker had gotten hold of Snapchat’s list of phone numbers and posted 4.6 million of them online. “Ugh!” I said to myself over my morning coffee. “Not again.”

That website has since been taken down, but the damage has probably been done. Really, the only recourse consumers have in a case like this is to wait for problems, and if they come, to change your phone number. Snapchat users can check on the Gibson Security site to see if your number was among them. (I checked, and supposedly I wasn’t among the victims; I urge you to do the same.) An apologetic Snapchat says they’ll be making the site more secure, but the equine quadruped has already made its exit from that bucolic containment structure.

In the wake of huge hacking scandals, such as the Target data breach on Black Friday which exposed millions of credit card numbers, it’s become clear that pretty much the only way to avoid being a victim is to become a hermit and live off the grid (think Obi Wan Kenobi on Tattooine). But if your information appears valuable to somebody, they probably can get it.

The question I’ve asked myself is, “What would happen if these talented hackers used their powers for good, rather than for evil?” I mean, look at Frank Abagnale, the counterfeiter-turned-consultant of “Catch-Me-If-You-Can” Fame who’s made legit millions telling the banking industry how to avoid counterfeiters. (Of course, Frank had little choice in the matter, but the end result’s the same.)

Why aren’t these people working for the government, or private industry? I say that tongue-in-cheek, because I suspect that not all of these hacks are done by stereotypical overgrown boys in their 30′s still living with their mothers. There is likely some real money and muscle behind a lot of this; think organized crime. Where there is money to be made, there are people who are going to try to take advantage of it. (And it’s likely that some of them are working for the government, but not necessarily for the public good.)

The point is, what an awesome thing it would be if some of that talent could be put to good use, curing malaria, improving the lives of kids, or just helping us feel safer swiping our credit cards at Wallyworld. With all that talent, it’s a shame for it to go to waste for something as mundane as money. Ever the optimist I am, though I know it’s not likely to happen; the lure of lucre is too tempting. Still, it’s a nice thought, isn’t it?

(This was originally posted in the Clarion-Ledger on 1/3/14.)

What to do about the Target data breach

In the wake of a massive compromise of credit card data from Target store customers, it’s important to know whether you’re at risk, and what steps you can take to protect yourself.

The theft of information, which began Black Friday (Nov. 27) and continued into this week, has reportedly affected more than 40 million Target customers. Although details are still sketchy, it appears that someone figured out how to access credit card stripe information, as well as names, expiration dates, and card verification value (CVV) codes from the back of the cards. Armed with that information, a thief could conceivably do a lot of damage by using the information to make online purchases.

The Secret Service is reportedly investigating the theft.

So, should you be worried if you shopped at Target? Experts say not really, although it would be a good idea to watch your credit card statements, and if possible, log in to your credit card’s website. Make a note of any unauthorized charges, and report them to Target at 866-852-8680.

“Card issuers are already working with the retail giant to identify and protect affected accounts, and will proactively change account numbers in order to limit damage if necessary,” noted the credit card site “What’s more, consumers typically aren’t held liable for any unauthorized charges, particularly in a highly-publicized case of widespread fraud. So, the bottom line is that potentially affected consumers only need to review their account activity a bit more closely than normal.”

Among CardHub’s other advice (courtesy of

Make a Credit Card Your Primary Spending Vehicle: Major card network fraud policies are most generous when it comes to credit card transactions, and credit card fraud is easier to deal with from both a psychological and a practical standpoint.

Sign for Debit Card Transactions: Though debit card transactions “verified” by signature account for a relatively higher share of all fraudulent debit card transactions than those “verified” by PIN, consumer liability is lower when a signature is used since card networks want to promote such transactions given their increased profitability.

Safeguard Your PIN: When using a card with a Personal Identification Number (PIN), make sure not to tell others what it is, write it down anywhere that a third party could access it, or let bystanders see it when inputting it at the point of sale or ATM.

Regularly Review Your Payment Accounts: The best way to ensure minimum fraud liability, regardless of payment type is to spot any unauthorized transactions as soon as possible and report them to the respective financial institution that issued your card.

Leave No Room for Doubt: Never leave the final amount of a transaction open for interpretation. That means, for example, making sure to always fill in the “Tip” field on a bill, even if you’re only going to write “$0.00.”

Be Careful About Sharing Financial Info: Don’t provide financial information to another party unless they are reputable and you reach out to them first; don’t send private account information via e-mail; make sure any website through which you submit a credit card number has an address that starts with “https” and a domain name that matches the site’s name; shred financial documents before throwing them out.

Aaron’s Rent-To-Own Chain Settles FTC Charges That it Enabled Computer Spying by Franchisees

Can you say, “Creepy?” Aaron’s, Inc., a national, Atlanta-based rent-to-own retailer, has agreed to settle Federal Trade Commission charges that it “knowingly played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including taking webcam pictures of them in their homes.” The FTC released the details of the settlement earlier today.

According to the FTC’s complaint, Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites.

“Consumers have a right to rent computers free of cyberspying and to know when and how they are being tracked by a company,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “By enabling their franchisees to use this invasive software, Aaron’s facilitated a violation of many consumers’ privacy.”

The complaint alleges that Aaron’s knew about the privacy-invasive features of the software, but nonetheless allowed its franchisees to access and use the software, known as PC Rental Agent. In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software.

The software was the subject of related FTC actions earlier this year against the software manufacturer and several rent-to-own stores, including Aaron’s franchisees, that used it. It included a feature called Detective Mode, which, in addition to monitoring keystrokes, capturing screenshots, and activating the computer’s webcam, also presented deceptive “software registration” screens designed to get computer users to provide personal information.

Under the terms of the proposed consent agreement with the FTC, Aaron’s will be prohibited from using monitoring technology that captures keystrokes or screenshots, or activates the camera or microphone on a consumer’s computer, except to provide technical support requested by the consumer.

In addition, Aaron’s will be required to give clear notice and obtain express consent from consumers at the time of rental in order to install technology that allows location tracking of a rented product. For computer rentals, the company will have to give notice to consumers not only when it initially rents the product, but also at the time the tracking technology is activated, unless the product has been reported by the consumer as lost or stolen. The settlement also prohibits Aaron’s from deceptively gathering consumer information.

The agreement will also prevent Aaron’s from using any information it obtained through improper means in connection with the collection of any debt, money or property as part of a rent-to-own transaction. The company must delete or destroy any information it has improperly collected and transmit in an encrypted format any location or tracking data it collects properly.

Under the agreement, Aaron’s will also be required to conduct annual monitoring and oversight of its franchisees and hold them to the requirements in the agreement that apply to Aaron’s and its corporate stores, and to terminate the franchise agreements of franchises that do not meet those requirements.