December 21, 2024

Bucks Blog: The Cost to Consumers of a Data Breach

A new analysis of a huge data breach last year in Utah estimates that more than 120,000 cases of fraud will occur as a result of information stolen.

Javelin Strategy Research’s analysis also estimates that each incident will result in more than $3,300 in losses, on average, and each consumer who is ultimately victimized as a result of the breach will spend about 20 hours and $770 on lawyers and time lost from work to resolve the case.

Ripple effects from the incident in the spring of 2012 will also prove costly to banks and businesses that may also suffer fraud as a result of the stolen information, said Al Pascual, a security, risk and fraud analyst at Javelin.

“We all need to be aware that breaches are occurring,” he said. “Breaches lead to fraud, and fraud affects all of us.”

Using the specifics of the Utah breach, Javelin applied what it has learned from its prior research about the impact of such breaches — namely, that having your personal information compromised makes you more likely to become a victim of fraud. Javelin estimates that roughly one in four recipients of a data-breach letter ultimately become fraud victims. (The estimate is based on information provided by consumers themselves, rather than law enforcement.)

“These breaches are driving fraud,” Mr. Pascual said. Criminals, he said, are generally not digging through trash or stealing mail to obtain personal data. “They’re stealing it digitally,” he said.

In the Utah case, about 280,000 Social Security numbers belonging to participants in the state Medicaid and Child Health Insurance Program were stolen from a database maintained by the Utah Department of Health. In addition, less sensitive pieces of information on another 500,000 participants were stolen.

Social Security numbers are particularly dangerous in the hands of criminals, because they can be used in combination with other information about you to create or access bank accounts and obtain credit.

The Social Security numbers were used by the department to verify eligibility for the insurance programs. But a contractor did not safeguard the server where the data was stored. The information was not encrypted and was protected only by a weak password that was easily hacked, the Javelin report said.

There may be little that individual consumers can do to prevent such a breach. But there are steps they can, and should, take to protect themselves, if they are notified that their Social Security number has been compromised in a data breach, Mr. Pascual said.

First, you should contact your bank and explain what has happened because many banks still use Social Security numbers to verify customer identity. You can ask for an alternative means of verification, like a specially assigned PIN, or a series of questions known as “dynamic” authentication. For instance, the bank may ask you about the size of recent transactions, or other details that only you would be likely to know, before allowing access to your account online or over the phone.

If the bank isn’t willing or able to provide an alternate method of verification, “It may be worth looking at institutions that offer better protection,” Mr. Pascual said.

Even if you haven’t had your information compromised, you should make use of your bank’s automatic account alerts. Such systems send you an e-mail or text message if unauthorized changes are made to your account, like the addition of a new authorized user or a new bill payment account, or a change of address. They can also notify you of significant transactions, like large withdrawals or transfers. “The consumer is going to know first whether a transaction is valid or not,” he said.

If you’re the victim of a breach and are offered free credit monitoring, you should take advantage of the service, he said. In the Utah case, victims were offered two years of credit monitoring and identity theft insurance.

Ultimately, banks should stop using Social Security numbers as identifiers, he said.

Have you had your personal information stolen? Did fraud occur as a result?

Article source: http://bucks.blogs.nytimes.com/2013/04/30/the-cost-to-consumers-of-a-data-breach/?partner=rss&emc=rss

Instagram Reversal Doesn’t Appease Everyone

Ryan Cox, a 29-year-old management consultant at ExactTarget, an Indianapolis-based interactive marketing software company, said he had already moved his photos to Flickr, Yahoo’s photo-sharing app, where he could have better control.

Mr. Cox said the uproar this week over whether Instagram owned its users’ photos was “a wake-up call.”

“It’s my fault,” he continued. “I’m smart enough to know what Instagram had and what they could do — especially the minute Facebook acquired them — but I was a victim of naïve optimism.”

“Naïve optimism” is as good a term as any for the emotion that people feel as they put their private lives onto social networks.

Companies like Google, Twitter, Yelp and Facebook offer themselves as free services for users to store and share their most intimate pictures, secrets, messages and memories. But to flourish over the long term, they need to seek new ways to market the personal data they accumulate. They must constantly push the envelope, hoping users either do not notice or do not care.

So they sell ads against the content of an e-mail, as Google does, or transform a user’s likes into commercial endorsements, as Facebook does, or sell photographs of your adorable 3-year-old, which is what Instagram was accused of planning this week.

“The reality is that companies have always had to make money,” said Miriam H. Wugmeister, chair of Morrison Foerster’s privacy and data security group.

Even as Instagram was pulling back on its changed terms of service on Thursday night, it made clear it was only regrouping. After all, Facebook, as a publicly held corporation, must answer to Wall Street’s quarterly expectations.

“We are going to take the time to complete our plans, and then come back to our users and explain how we would like for our advertising business to work,” Kevin Systrom, Instagram’s youthful co-founder, wrote on the company’s blog.

Instagram’s actions angered many users who were already incensed over the company’s decision earlier this month to cut off its integration with Twitter, a Facebook rival, making it harder for its users to share their Instagram photos on Twitter.

Users were apprehensive that the new terms of service meant that data on their favorite things would be shared with Facebook and its advertisers. Users also worried that their photos would become advertising.

Instagram is barely two years old but has 100 million users. Last spring, Facebook announced plans to buy it in a deal that was initially valued at $1 billion. The deal was closed in September for a somewhat smaller amount.

For some users, Mr. Systrom’s apology and declaration that “Instagram has no intention of selling your photos, and we never did” was sufficient.

National Geographic, which suspended its account in the middle of the uproar, held a conference call with members of Facebook’s legal and policy teams. Afterward, the magazine, which has 658,000 Instagram followers, said it would resurrect its account.

Also mollified was Noah Kalina, who took wedding photographs earlier this year for Mark Zuckerberg, the founder of Facebook. In a widely circulated post on Twitter, Mr. Kalina said the new terms of service were “a contract no professional or nonprofessional should ever sign.” His advice: “Walk away.”

On Friday, the photographer said he had walked back. “It’s nice to know they listened.”

Kim Kardashian, the most followed person on Instagram, said on Tuesday that she “really loved” the service — note the past tense — and that the new rules were not “fair.” She had yet to update her 17 million Twitter followers on Friday, but since she is pushing her True Reflection fragrance it is a safe bet that she has forgiven and forgotten.

Article source: http://www.nytimes.com/2012/12/22/technology/instagram-reversal-doesnt-appease-everyone.html?partner=rss&emc=rss

Bucks Blog: Thursday Reading: Why Some Students Believe They Must Cheat

October 04

Thursday Reading: Why Some Students Believe They Must Cheat

Why some students believe they must cheat, new e-readers let in more light, hackers breach 53 universities and post personal data online and other consumer-focused news from The New York Times.

Article source: http://bucks.blogs.nytimes.com/2012/10/04/thursday-reading-why-some-students-believe-they-must-cheat/?partner=rss&emc=rss

F.T.C. Settles Privacy Issue at Facebook

The order, announced by the Federal Trade Commission in Washington, stems largely from changes that Facebook made to the way it handled its users’ information in December 2009. The commission contended that Facebook, without warning its users or seeking consent, made public information that users had deemed to be private on their Facebook pages.

The order also said that Facebook, which has more than 800 million users worldwide, in some cases had allowed advertisers to glean personally identifiable information when a Facebook user clicked on an advertisement on his or her Facebook page. The company has long maintained that it does not share personal data with advertisers.

And the order said that Facebook had shared user information with outside application developers, contrary to representations made to its users. And even after a Facebook user deleted an account, according to the F.T.C., the company still allowed access to photos and videos.

All told, the commission listed eight complaints. It levied no fines and did not accuse Facebook of intentionally breaking the law. However, if Facebook violated the terms of the settlement in the future, it would be liable to pay a penalty of $16,000 a day for each count, the F.T.C. said.

Mark Zuckerberg, the chief executive of Facebook, conceded in a lengthy blog post that the company had made “a bunch of mistakes,” but said it had already fixed several of the issues cited by the commission.

“Facebook has always been committed to being transparent about the information you have stored with us — and we have led the Internet in building tools to give people the ability to see and control what they share,” he wrote. By way of example, Mr. Zuckerberg pointed to more explicit privacy controls that the company introduced over the summer.

Facebook has long wanted its users to post content — links, opinions, pictures and other data — on their Facebook pages with minimal effort, or “friction,” as company executives call it. The settlement with the F.T.C. will undoubtedly require it to introduce more such friction.

The order requires Facebook to obtain its users’ “affirmative express consent” before it can override their own privacy settings. For example, if a user designated certain content to be visible only to “friends,” Facebook could allow that content to be shared more broadly only after obtaining the user’s permission.

On Tuesday evening there seemed to be some disagreement about what the agreement entailed. A Facebook spokesman said in response to a question that it did not require the company to obtain “opt in” data-sharing permission for new products.

But David Vladeck, director of the bureau of consumer protection at the F.T.C., said Facebook would have to inform its users about how personal data would be shared even with new products and services that it introduces over the next two decades. “The order is designed to protect people’s privacy, anticipating that Facebook is likely to change products and services it offers,” he said.

Ever since its public release in 2004, Facebook has drawn an ever-larger number of members, even as its sometimes aggressive approach to changes around privacy have angered some of its users.

“We’ve all known that Facebook repeatedly cuts corners when it comes to its privacy promises,” Eric Goldman, a law professor at Santa Clara University, wrote in an e-mail after the announcement. “Like most Internet companies, they thought they could get away with it. They didn’t.”

Facebook is also obliged to undergo an independent privacy audit every two years for the next 20 years, according to the terms of the settlement.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, which is part of a coalition of consumer groups that filed a complaint with the F.T.C., commended the order but said settlements with individual companies fall short of what is needed: a federal law to protect consumer privacy.

“We hope they will establish a high bar for privacy protection,” Mr. Rotenberg said. “But we do not have in the United States a comprehensive privacy framework. There is always a risk other companies will come along and create new problems.”

Several privacy bills are pending in Congress, and Internet companies have stepped up their lobbying efforts. The F.T.C., meanwhile, has ratcheted up its scrutiny of Internet companies. This year alone, it has reached settlement orders with some of the giants of Silicon Valley, including Google.

The order comes amid growing speculation about Facebook’s preparations for an initial public offering, which could be valued at more than $100 billion. The settlement with the F.T.C., analysts say, could potentially ease investors’ concerns about government regulation by holding the company to a clear set of privacy prescriptions.

“When you have an I.P.O. you don’t want investors to be skeptical or jittery,” said Ryan Calo, who leads privacy research at the Center for Internet and Society at Stanford Law School. “In order for you to be as valuable as possible, you want to make sure the seas are calm. This calms the seas.”

Article source: http://feeds.nytimes.com/click.phdo?i=b7985873ee9a7ed1a936429be352a03b

Europe Tries to Curb U.S. Role in Tracking Terrorists’ Funds

BRUSSELS — The European Commission on Wednesday presented proposals for tracking the finances of terrorists in Europe that are aimed at ending the primary role of the United States in those efforts.

The European Union needed “to find a European solution for extracting the requested data on European soil,” said Cecilia Malmström, the E.U. commissioner for home affairs.

Many E.U. lawmakers have long objected to an existing program that sends information on financial transactions in bulk to the United States where it is sifted for evidence of terror plots.

That program was established by the administration of George W. Bush in the wake of the attacks on the United States on Sept. 11, 2001. The program became a symbol of differences between the United States and the European Union over how to balance personal privacy guarantees with concerns on national and international security.

Ms. Malmström’s proposals could help to quell criticisms that financial tracking jeopardizes European standards of privacy by establishing a parallel system that would share tips with the United States and other powers.

Any European system “would need to fully respect fundamental rights, and in particular ensure a high level of data protection,” said Ms. Malmström.

A key objective would be “limiting the amount of personal data transferred to the U.S.,” according to a statement by Ms. Malmström’s department.

The commission already has discussed plans to create a so-called European Terrorist Finance Tracking System with the American authorities who have participated in expert meetings on the initiative.

But a European system still could cost nearly 50 million euros to implement and about 11 million euros in annual running costs. Depending on how a European system was designed, it also could require unprecedented cooperation among the security services of fractious E.U. member states, raising questions about feasibility.

The current program allows American agencies to get access to European banking data held by a cooperative — the Society for Worldwide Interbank Financial Telecommunication, or Swift — which is responsible for routing trillions of dollars daily among banks, brokerage houses, stock exchanges and other institutions.

But members of the European Parliament and other campaigners have complained for years that the program undermines privacy because it requires large batches of information to be sent to the United States for analysis and storage there.

Frustration among members of the Parliament welled up in February 2010, when they vetoed a previous accord and deprived the United States of access to the information.

The European Commission, the E.U. executive, then led negotiations with the United States to win assurances that any requests for information would be evaluated by the European police agency, Europol.

The European Parliament approved a revised agreement in July 2010.

But some lawmakers who approved that agreement have criticized Europol for too readily approving American requests for large amounts of data, and they have suggested they could withdraw their support again in the future.

Article source: http://feeds.nytimes.com/click.phdo?i=e8707874f8113dc703cd591f09ecbaa2

Gadgetwise: Q&A: Upgrading on the Up-and-Up

Many Windows XP users out there (not me) cling to their PCs, which came from a small storefront that had a “funny” software license for the operating system. Now they would like to upgrade to Windows 7, but experience strange messages from Microsoft. Is there any way to upgrade?

To crack down on software piracy, Microsoft created its Genuine program so that only legitimate, licensed copies of its software were eligible for upgrades and support. When one tries to use a Windows 7 upgrade disc to update a computer running a counterfeit copy of Windows XP, the most likely result will be a screen full of software activation errors that derails the process.

Buying the full version of Windows 7 (instead of the cheaper upgrade edition) and installing a fresh, legitimate copy of the system is one way to upgrade. This process does involve copying all the personal data from the computer to an external drive before installing Windows 7 — and then copying all the content back after the installation — but it should take care of those Microsoft messages. Just make sure the computer meets the Windows 7 requirements listed here.

Article source: http://feeds.nytimes.com/click.phdo?i=77eddf298ab68001640acd09433dafb8