The New York Times has a quick online interactive quiz so individuals can see how much, and which types, of their personal information has been hacked (“How Many Times Has Your Personal Information Been Exposed to Hackers?” by Josh Keller, K.K. Rebecca Lai and Nicole Perlroth; July 29th; http://nyti.ms/1LX2WaB).

The authors clearly state certain caveats including:

  1. They’ve included many, but not all, of the most recent major hacks (e.g., OPM, Neiman Marcus, health insurers);
  2. There are likely hacking attacks that are still undiscovered; and
  3. The resulting score should be seen as a minimum, not maximum, given the above caveats.

I took the quiz and wasn’t surprised to find that my personal information has been exposed and potentially stolen.  What parts of personal identity are listed in the quiz?   There are the obvious parts such as address, birthday, credit or debit card, and SSN.  The less obvious but also included are employment history, fingerprints, password and medical information.  I’m angry about the parts of my identity that were exposed while relieved about the parts that have not yet been hacked.

The authors also provide very useful concrete information about the steps individuals can take once they discover that some of their personal information has been hacked.  Taking the quiz might seem scary but not knowing, and then not taking pro-active steps, will be even worse.

The magnitude of the OPM hacking just keeps growing — the original estimate of 4+ million records has now been upped to over 20 million records. Could this breach get even worse?  Let’s hope not but there is one potential future issue that could do so.  It’s a thorny issue that the OPM officials who contracted with CSID for its’ security services might not have even contemplated.

Here’s the issue.  It’s become fairly standard for a company’s Privacy Policy to include a statement about the sale of some or all of its assets in the case of a merger, acquisition or any type of sale to a third party.

Unfortunately for consumers, their personal information is considered an asset which the company might disclose or sell or transfer to the third party buyer in such an event. The CSID Privacy Policy contains just this type of provision in the section titled “Do We Disclose or Share Your Information?”  CSID says it won’t sell or share personal information with third parties for promotional or marketing purposes.

However, it clearly says that personal information held by CSID “…will be among the assets transferred to the buyer [.]” “… in the event of a merger, acquisition or any form of sale of some or all our assets ….” I doubt anyone at OPM thought to get this clause modified in their contract with CSID.

It would be terrible if, under some future scenario, CSID would be able to transfer the personal information of millions and millions of individuals whose information CSID is supposed to be protecting due to the OPM hacking.

I presented a privacy overview class on July 9th as part of the Lifetime Learning Institute.  The participants were very engaged and had many good suggestions of ways they’ve worked to limit the amount of personal information that is shared about them. One of the participants mentioned Nomorobo.com.  I hadn’t heard of this free service so looked it up.  It was one of the three projects that won the Federal Trade Commission’s  (FTC) Robocall Challenge back in 2013. It sounds like a great way to prevent robocalls from slipping through the FTC’s “Do Not Call” registry.  How does it work?  It uses the “simultaneous ringing” feature that’s available through most phone carriers.  In a nutshell, the Nomorobo technology spots robocalls, blocks the calls and then automatically hangs up on them. There is only one necessary prerequisite for using this free service. Individuals have to have a voice over type of phone service.  Nomorobo doesn’t work on traditional analog landlines or wireless phones.  The website lists the services on which Nomorobo is offered; these include, VerizonFios; TimeWarner cable; Comcast xfinity; and Vonage among others. It’s certainly a service worth exploring so individuals can see if their phone service has the “simultaneous ringing” feature so that Nomorobo can be used.

The 4+ million current and former federal employees whose OPM personal data has been hacked are just the latest group to be worrying about identity theft.  So a recent article by Brian Krebs could not be more timely.  Mr. Krebs has written a terrific piece on the various options that individuals can take to try and prevent themselves from becoming identity theft victims.  While there are no guarantees about any option being foolproof, his recommendations are ones to learn about and then decide whether to use (www.krebsonsecurity.com; “How I Learned to Stop Worrying and Embrace the Security Freeze”; June 8th).

One of his key points is the difference between putting a “fraud alert” or a “security freeze” on credit reports.  A “security freeze” is the stronger tool since “freezing” a credit report means it can’t be viewed or pulled by potential creditors without the individual giving specific consent.  Is it free to do so?  That depends on 2 key factors: has the individual been an identity theft victim? and what are the requirements for the State in which the individual lives.  Some States require a $10.00 or more fee if the individual hasn’t been an identity theft victim.

A  link to a list of the States with their respective requirements can be found in Mr. Krebs’ article.  Additionally, that requirement will pop up when filling out a “freeze” form online with Equifax, Experian and TransUnion.  Once an individual does so, the fee amount for the State in which the individual resides will come up.  These requests can also be done in writing and those details can be found on the website for the 3 credit agencies just mentioned.

It would be great if these “freezes” could be done for free before becoming an identity theft victim.  Is it worth the money to do so before that reality?  My answer is “yes” but everyone has to decide for himself.

Over the last few days, there have been numerous media sources reporting the major security flaw and security risks in Samsung mobile devices.  I urge anyone who has a Samsung mobile device to keep posted on this matter.   I read the NowSecure blog on this issue and they have a list as of June 16th of impacted devices by carrier with the status of their security patch status ((www.nowsecure.com;  go to the “How to Detect It” subheading in the blog titled”Samsung Keyboard Security Risk Disclosed: Over 600M+ Devices Worldwide Impacted”). In a nutshell: NowSecure, a security research firm, has found a security flaw in the Samsung keyboard that could impact over 600 million Samsung mobile devices.  One report, by Graham Cluley, describes the flaw as including Samsung’s latest device, the GalaxyS6 iPhone (www.hotforsecurity.com; “Samsung Galaxy phones at risk from massive security flaw”; June 17).  As Mr. Cluley and others have warned, the flaw could allow hackers to gain access remotely to a Samsung device and allow the hackers to spy through the camera or the microphone, to track the Samsung user’s physical location via GPS, to install malicious applications, to steal information or even to listen in on the user’s messages and voice calls — all without the user’s knowledge. Samsung is reporting that it believes it has a possible patch for the problem and that the patch has been deployed to carriers.  However, per Mr. Cluley, it is difficult for mobile device users to know whether their carrier has patched the problem.  Again, another reason to check the NowSecure website for updates.

LastPass is a cloud-based password security site so reports that it was breached are particularly troubling.  The breach happened on Friday, June 12th but LastPass only sent alerts to account users on Monday, June 15th.  And from what Steven J. Vaughan-Nichols reported, not all LastPass account owners have received email notifications (zdnet.online.com; “Password site LastPass warns of data breach”; June 15).

In his article, Mr. Vaughan-Nichols quotes from the June 15th blog post by Joe Siegrist, the CEO of LastPass.  I read Mr. Siegrist’s blog post and urge all LastPass account users to read it (blog.lastpass.com June 15).  Mr. Vaughan-Nichols quotes from Mr. Siegrist’s blog in which he asserts that LastPass has no evidence that “encrypted user vault data was taken, nor that LastPass user accounts were accessed.”  LastPass is, per Mr. Siegrist’s blog, requiring all account users to update their master password.  They are not requiring or telling users to charge their site passwords because encrypted data wasn’t taken.

However, as Mr. Vaughan-Nichols reported, the LastPass servers are overloaded by account users trying to make the needed changes.

Let’s hope that the “good news” reported by Mr. Siegrist holds true.

There has been widespread coverage of the massive IRS hack.  The hack of the IRS “Get Transcript” tool on the IRS website has affected 104,000 individuals.  As reported in numerous accounts, the thieves who hacked this system stole information about prior tax refunds.  They then used that information in combination with other personal information they likely already had (e.g., people’s names, SSNs, dates of births).  As Jonnelle Marte reported in The Washington Post, after hacking the “Get Transcript” tool, the thieves now have even more personal information (“A year of credit monitoring won’t put risk to rest”; May 30th; A8).

While the IRS will be flagging the persons who’s transcripts were stolen, they will also be contacting them.  Those 104,000 individuals will be offered free credit reporting.  As Lisa Rein reports in The Washington Post, the IRS will also be contacting 100,00 other people — those are people whose returns weren’t hacked but whose personal information the thieves might have (“How the breach of IRS tax returns is part of a much bigger problem facing taxpayers”; May 29).

The risks of identity theft for the individuals whose tax return information was stolen is very real.  People have to remember that the IRS will contact them through letters not emails.  Why is this important?  Because the hackers now have enough information to send scam emails pretending to be from a credit agency, or even the IRS, and be asking for even more personal information under the guise of needing this to help the affected individuals.

 

RadioShack’s bankruptcy could have had terrible and lasting impacts on consumers.  RadioShack had been proposing to include consumers’  personally identifiable information as part of its trademark and intellectual property.  However, as reported by Truman Lewis, a coalition of State Attorneys General from 38 States fought the inclusion of the consumer data as part of the bankruptcy sale (www.consumeraffairs.com/news_index/privacy.html; “Bankruptcy court agrees to protect RadioShack customer data”; May 21st).

As Mr. Lewis reported,  the State Attorneys General reached a settlement under which the vast majority of the consumer data will be destroyed.  Equally important, he wrote that “…no credit or debit card account numbers, social security numbers, dates of birth or even phone numbers will be transferred.”  The Bankruptcy Court approved there settlement terms — all of which is an important result for RadioShack customers.  RadioShack had in its files, as Mr. Lewis noted, 8.5 million customer email addresses.  The new owners of all of RadioShack’s assets will only be able to keep a limited percentage of those email addresses. Whose email addresses will be included in the sale?  Mr. Lewis reports that those will only be for customers who had asked for product information within the last 2 years — and General Wireless, the new owner, will be contacting those customers and provided the chance to opt out of future General Wireless communications.

General Wireless also has agreed not to sell or share of the RadioShack customer information it is obtaining with any other entity.

This settlement is an important victory for consumers thanks to the strong actions by these 38 State Attorneys General.

I’ve written previously about the growing use of electronic health records (EHRs).  Some of this growth is driven by Administration mandates while some can be attributed to the enhanced patient care perceived by medical and health professionals.

Using EHRs does allow patients and their medical professionals faster access to personal patient health information.  However, this type of patient information is among the most sensitive that exists.  So making sure that the EHRs are protected optimally is, and should be, a key consideration for their creation and usage.

As Marianne Kolbasuk McGee recently reported, these issues are receiving increased congressional attention (www.healthcareinfosecurity.com; “Senate Scrutinizes EHR Interoperability”; May 5th).  The Senate Committee on Health, Education, Labor and Pensions has created a working group that will be examining multiple EHRs related issues.  These topics include improving the ways in which EHRs operate; looking at ways in which to improve more secure health information exchange between and among vendors, healthcare providers and the EHR systems; and making EHRs easier to use by health and medical professionals.

The working group has set an ambitious target goal of making legislative and administrative recommendations by the end of 2015.

Any improvements to the security, privacy and operation of EHRs would be important advancements.

Follow

Get every new post delivered to your Inbox.

Join 75 other followers