Complaint resolution service publishes case studies, recall information and consumer news.

Guidance Software Inc. has agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data contradicted security promises made on its Web site and violated federal law. According to the FTC, Guidance’s data-security failure allowed hackers to access sensitive credit card information for thousands of consumers. The settlement will require the company to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 10 years.

Guidance sells software and related training, materials, and services customers use to investigate and respond to computer breaches and other security incidents.

According to the FTC complaint, Guidance failed to implement simple, inexpensive and readily available security measures to protect consumers’ data. In contrast to claims about data security made on Guidance’s Web site, the company created unnecessary risks to credit card information by permanently storing it in clear readable text. In addition, the complaint alleges that Guidance failed to protect the information by:

* failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable Web-based attacks, such as structured query language injection attacks;

* failing to implement simple, low-cost, and readily available defenses to such attacks;

* storing in clear, readable text network administrator credentials, such as user name and password, that facilitated access to credit card information stored on the network;

* failing to use readily available security measures to monitor and limit access from the corporate network to the Internet; and

* failing to employ measures to detect unauthorized access to consumers’ credit card information.

The settlement bars misrepresentations about security measures in the future and requires Guidance to establish and maintain a comprehensive information-security program that includes administrative, technical, and physical safeguards. The settlement also requires Guidance to obtain, every two years for the next 10 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order. The company also will be subject to standard record keeping and reporting provisions to allow the FTC to monitor compliance.

Posted under Privacy

Social networking Web site operators Xanga.com, Inc. and its principals, Marc Ginsburg and John Hiler, will pay a $1 million civil penalty for allegedly violating the Children’s Online Privacy Protection Act (COPPA) and its implementing Rule, under the terms of a settlement with the Federal Trade Commission announced this week.

According to the FTC, Xanga.com collected, used, and disclosed personal information from children under the age of 13 without first notifying parents and obtaining their consent. The penalty is the largest ever assessed by the FTC for a COPPA violation, and is more than twice the next largest penalty.

The complaint charges that the defendants had actual knowledge they were collecting and disclosing personal information from children. The Xanga site stated that children under 13 could not join, but then allowed visitors to create Xanga accounts even if they provided a birth date indicating they were under 13. Further, they failed to notify the children’s parents of their information practices or provide the parents with access to and control over their children’s information. The defendants created 1.7 million Xanga accounts over the past five years for users who submitted age information indicating they were under 13.

“Protecting kids’ privacy online is a top priority for America’s parents, and for the FTC,” said FTC Chairman Deborah Platt Majoras. “COPPA requires all commercial Web sites, including operators of social networking sites like Xanga, to give parents notice and obtain their consent before collecting personal information from kids they know are under 13. A million-dollar penalty should make that obligation crystal clear.”

Xanga.com - Xanga.com is one of the most popular social networking sites on the Internet. After setting up a personal profile, users can post information about themselves for other users to read and respond to. On Xanga.com, users can create their own pages or Web logs (blogs) that contain profile information, online journals, text, hypertext images, as well as links to audio, video, and other files or sites. Information on the Xanga site is available to the general public through the use of global search engines such as Google and Yahoo.

Incorporated in 1999 and based in New York City, privately held Xanga.com, Inc. was founded by Ginsburg and Hiler. In 2005, Xanga had about 25 million registered accounts.

The Commission’s Complaint - According to the Commission’s complaint, the defendants violated COPPA, the COPPA Rule, and the FTC Act by collecting personal information from children with actual knowledge that they were under the age of 13, failing to post on their site sufficient notice of their information practices regarding children, failing to notify parents directly about their information practices regarding children, and failing to obtain verifiable parental consent before collecting, using, or disclosing children’s personal information. The complaint also alleges the defendants failed to provide parents with reasonable access to and control over their children’s information on the Xanga.com site.

The Consent Order- The consent order is designed to prohibit Xanga, Ginsburg, and Hiler from violating COPPA and the COPPA Rule in the future. Accordingly, it contains strong conduct provisions that will be monitored by the FTC. The order specifically prohibits the defendants from violating any provision of the Rule and requires them to delete all personal information collected and maintained by the site in violation of the Rule. The defendants further must distribute the order and the FTC’s How to Comply with the Children’s Online Privacy Protection Rule to certain company personnel. The order also contains standard compliance, reporting, and record keeping provisions to help ensure the defendants abide by its terms.

To provide resources to parents and their children about the risks associated with social networking sites, the order additionally requires the defendants to provide links on certain of their sites to FTC consumer education materials for the next five years. First, the defendants must include a link to the Children’s Privacy section of the Commission’s ftc.gov site on any site they operate that is subject to COPPA. Second, the defendants must include links to the Commission’s recently published safety tips for social networking on any of their social networking sites.

The order requires the defendants to pay a civil penalty of $1 million for violating the COPPA Rule, as detailed above.

The Commission vote approving the complaint and consent decree and order was 5-0. They were filed by the Department of Justice on the FTC’s behalf on September 7, 2006, in the U.S. District Court for the Southern District of New York.

Posted under Privacy

AT&T Inc. today said that unauthorized persons illegally hacked into a computer system and accessed personal data, including credit card information, from several thousand customers who purchased DSL equipment through the company’s online Web store.

The unauthorized electronic access took place over the weekend, was discovered within hours and the online store was shut down immediately. AT&T also quickly notified the major credit card companies whose customer accounts were involved. The company is now working with law enforcement.

Customer notifications are ongoing by email, phone and letter to fewer than 19,000 customers. In addition to notifying those customers who were affected, the company will pay for credit monitoring services to assist in protecting the customers involved.

“We recognize that there is an active market for illegally obtained personal information. We are committed to both protecting our customers’ privacy and to weeding out and punishing the violators,” said Priscilla Hill-Ardoin, chief privacy officer for AT&T. “We deeply regret this incident and we intend to pay for credit monitoring services for customers whose accounts have been impacted. We will work closely with law enforcement to bring these data thieves to account.”

Customers who have been affected have been provided with a toll-free number to call for more information.

Posted under Privacy

In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems’ failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.

This is the ninth FTC case targeting companies whose security practices compromised consumers’ confidential financial information, and the first the Commission has brought against a credit card processor.

“CardSystems kept information it had no reason to keep and then stored it in a way that put consumers’ financial information at risk,” said Deborah Platt Majoras, Chairman of the FTC. “Any company that keeps sensitive consumer information must take steps to ensure that the data is held in a secure manner.”

According to the FTC, CardSystems provided merchants with products and services used in “authorization processing” – obtaining approval for credit and debit card purchases from the banks that issued the cards. Last year, it processed about 210 million card purchases, totaling more than $15 billion, for more than 119,000 small and mid-size merchants. In processing these transactions, CardSystems collected personal information from the magnetic strip of the card, including the card number, expiration date, and other data. CardSystems then stored this information on its computer network. Pay By Touch acquired CardSystems’ assets in December 2005, and now processes transactions for the same merchants CardSystems served.

The FTC charged that CardSystems engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information. Specifically, the agency alleges that CardSystems:

* created unnecessary risks to the information by storing it;
* did not adequately assess the vulnerability of its computer network to commonly known or reasonably foreseeable attacks, including “Structured Query Language” injection attacks;
* did not implement simple, low-cost, and readily available defenses to such attacks;
* did not use strong passwords to prevent a hacker from gaining control over computers on its computer network and access to personal information stored on the network;
* did not use readily available security measures to limit access between computers on its network and between its computers and the Internet; and
* failed to employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.

According to the FTC’s complaint, these practices compromised millions of credit and debit cards, and led to millions of dollars in fraudulent purchases. In addition, after the fraud was discovered, banks cancelled and re-issued thousands of credit cards, and consumers experienced inconvenience, worry, and time loss dealing with the affected cards.

The proposed settlement requires CardSystems and Pay By Touch to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires them to obtain – every two years for the next 20 years – an audit from a qualified, independent, third-party professional that confirms that its security program meets the standards of the order, and to comply with standard bookkeeping and record-keeping provisions.

This case is similar to prior FTC actions involving alleged failures to secure credit and debit card information. As in the prior cases, CardSystems faces potential liability in the millions of dollars under bank procedures and in private litigation for losses related to the breach.

Posted under Customer Service

New York Attorney General Eliot Spitzer has sued a company responsible for what is believed to be the largest deliberate breach of privacy in internet history.

The suit against web site operator Gratis Internet alleges that the company sold personal information obtained from millions of consumers under a strict promise of confidentiality.

“Unless checked now, companies that collect and sell information on consumers will continue to find ways to erode the basic standards that protect privacy in the internet age,” Spitzer said.

Spitzer’s office began an investigation of companies involved in “data mining” or compilation and sale of marketing lists, early last year. The focus of the investigation quickly turned to Gratis, a Washington, D.C. -based company that owns and operates several web sites that provide consumers with ways to receive free products, generally through free trials of yet other products. These sites include or have included: FreeiPods.com; FreeCDs.com; FreeDVDs.com and FreeVideoGames.com.

From 2000 through 2004 Gratis made numerous explicit promises to the users of its web sites about protecting personal information. Among the promises the company made were:

“We will never give out, sell or lend your name or information to anyone”;

“We will never lend, sell or give out for any reason your email address or personal information”;

“We at [Gratis web site] respect your privacy and do not sell, rent or loan any personally identifiable information regarding our customers to any third party”; and

“Please note that we do not provide your E-mail address to our business partners.”

Even on its sign-up pages, Gratis promised consumers that it “does not . . . sell/rent emails.”

However, the Attorney General’s investigation confirmed that Gratis’s owners, Peter Martin and Robert Jewell, repeatedly violated these promises during 2004 and 2005 by selling access to lists of millions of Gratis’s customers to three independent email marketers. The marketers then sent hundreds of millions of email solicitations to those users, on behalf of their own customers. In each of these deals, Gratis wrongfully shared between one and seven million confidential user records. This is believed to be the largest deliberate breach of a privacy policy ever discovered by U.S. law enforcement.

Leading privacy advocates praised the lawsuit:

Marc Rotenberg, the Executive Director of the Electronic Privacy Information Center based in Washington D.C. said: “Without strong enforcement, privacy policies are meaningless. We support the efforts of the New York Attorney General to safeguard consumer privacy.”

Beth Givens, Director of the Privacy Rights Clearinghouse, a consumer advocacy organization said: “Attorney General Spitzer continues to send a strong message to Gratis and others like it who would sell their email lists to spammers when their privacy policy says otherwise: Deception doesn’t pay.”

The suit also sets forth how, during the course of its investigation, Gratis repeatedly, but falsely, denied that such data sharing had even occurred. In one written response to the Attorney General, for instance, Gratis assured the Attorney General that “at all times during its existence . . . Gratis has never sold, rented, or lent email addresses or personal information of its users to any third-party and the company has always maintained control over and ownership of such information.”
The Attorney General’s suit cites specific data sharing contracts, as well as testimony and other evidence provided by internet marketers that did business with Gratis. The suit, filed in New York State Supreme Court, seeks penalties and injunctive relief, against Gratis and its principals, under New York’s consumer fraud statutes

The lawsuit follows the Attorney General’s settlement, earlier this month, with e-mail marketer Datran Media, to whom Gratis had sold its user records.

Posted under Customer Service

Despite apparent compliance from multiple search engines, Google appears to be the one search company challenging a United States Department of Justice subpoena for its records. Citing privacy concerns for its user base, Google vowed to fight the release of the data in court.

The case will be heard in a federal district court in San Jose, near Google’s headquarters, on Monday.

Posted under Privacy

Reacting to reports that private wireless and wireline phone records, including phone numbers dialed, calls received, and even the location of wireless callers, are available for sale, Commissioner Michael J. Copps issued a statement this week.

“The reported abuses highlight the critical need to protect Americans’ personal and private information. Few rights are so fundamental as the right to privacy in our daily lives, yet few are under such constant attack. Americans deserve the security of knowing that their private phone records are not for sale,” Copps said.

The Electronic Privacy Information Center (EPIC) filed a petition about this issue to the FCC in July 2005 with an update by letter in August. Commissioner Copps mentioned EPIC’s petition in his own statement and said, “The FCC must ensure that it is doing everything it can to prevent illegal theft of Americans’ phone records.”

Posted under Privacy

Marriott’s time-share division admitted this week that it could not find personal consumer information, including Social Security Numbers, for more than 200,000 consumers. The company said in a statement that the records may simply be “lost”, but could not rule out theft.

We regret this situation has occurred and realize this may cause concern for our associates and customers,” said Stephen P. Weisz, MVCI president. “We have recently mailed notifications to associates, timeshare owners and timeshare customers and are available to answer any questions they may have.”

Consumer advocates, meanwhile, continue to express concern over the millions of cases of identity theft occcuring each year, many of which can be traced back to data breaches. “Organizations that handle sensitive consumer data must be held accountable for any use of that data,” said Consumer Help Web President Joan Bounacos. “We encourage Congress to enact severe penalties for organizations who breach consumer trust by losing personal data and endangering consumer credit and other records.”

Privacy expert Robert Douglas echoed Bounacos’ comments on his web site, PrivacyToday.com, reporting that he had told The Washington Post, “For the longest time, people have said it’s the consumers’ fault. They don’t shred their bank statements at home, or what have you. But since the California law was passed now we are learning how much of this information has been breached and is floating around out there.”

Marriott joins multiple corporations who have reported data breaches this year, including ChoicePoint and LexisNexis.

Posted under Privacy

Shoe discounter DSW Inc. has agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data was an unfair practice that violated federal law. According to the FTC, DSW’s data-security failure allowed hackers to gain access to the sensitive credit card, debit card, and checking account information of more than 1.4 million customers. The settlement will require DSW to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.

Columbus, Ohio-based DSW operates approximately 190 stores in 32 states. In 2004, DSW generated $961 million in net sales and sold approximately 23.7 million pairs of shoes.

According to the FTC’s complaint, DSW uses computer networks to obtain authorization for credit card, debit card, and check purchases at its stores and to track inventory. For credit and debit card purchases, DSW collects information, such as name, card number, and expiration date, from the magnetic stripe on the back of the cards. This magnetic stripe information is particularly sensitive because it contains a security code that can be used to create counterfeit cards that appear genuine in the authorization process. For check purchases, DSW collects information such as routing number, account number, check number, and the consumer’s driver’s license number and state. In each case, the information was wirelessly transmitted to a computer network located in the store, and from there was sent to the appropriate bank or check processor.

The FTC charges that until at least March 2005, DSW engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive customer information. Specifically, the agency alleges that DSW:

• created unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information;
• failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
• stored the information in unencrypted files that could be easily accessed using a commonly known user ID and password;
• failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
• failed to employ sufficient measures to detect unauthorized access.

The FTC charges that a total of approximately 1.4 million credit and debit cards and 96,000 checking accounts were compromised, and that there have been fraudulent charges on some of these accounts. Further, some customers whose checking account information was compromised have incurred out-of-pocket expenses in connection with closing their accounts and ordering new checks. Some checking account customers have contacted DSW to request reimbursement for their expenses, and DSW has provided some amount of reimbursement to these customers.

According to DSW’s SEC filings, as of July 2005, the company’s exposure for losses related to the breach ranges from $6.5 million to $9.5 million.

The FTC alleges that DSW’s failure to secure customers’ sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition. The settlement requires DSW to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires DSW to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order. DSW also will be subject to standard record keeping and reporting provisions to allow the FTC to monitor compliance.

This is the FTC’s seventh case challenging faulty data security practices by retailers and oth

Posted under Customer Service, Privacy

In another series of gaffes, Sony Music admitted today that its second round of uninstall software to remove spyware from unsuspecting consumers’ computers exposed those computers to hacker attacks.

The company claims that less than 300 people have downloaded the second program after many more had downloaded the first which exposed their computers. The latest round of errors was found by Princeton University computer science professor Edward Felten and researcher Alex Halderman. According to ZDNet.com, Professor Felten has agreed to review any subsequent releases by Sony.

Consumer Help Web reported the initial round of problems to consumers on November 3, the day after blogger Mark Russinovich disclosed the problems in Sony’s music CD copy protection to the world.

Less than three weeks ago we wrote, “SonyBMG has placed an onerous burden on consumers that should be immediately lifted”. Sony has not only failed to lift that burden but has endangered the computer safety of the most proactive consumers who followed the company’s directions.

Posted under Privacy