Hi, this quick "roundup" blog is designed to give you an idea of all the work we've been doing lately to protect your privacy. There's a lot that we're doing because a lot needs to be done!
1) You Need A Security Freeze: Today we released a new report by our consumer advocate Mike Litt on how to protect yourself from the threat of new account identity theft. The title of the report says it all: "Why You Should Get Security Freezes Before Your Information is Stolen." What's a "security freeze?" It's the only way to prevent identity thieves who know your Social Security Number from obtaining credit in your name. "Credit monitoring?" Won't work. As Mike Litt explains in the news release:
“Whether your personal information has been stolen or not, your best protection against someone opening new credit accounts in your name is the security freeze, not the often-offered credit monitoring services, which only alert you after a new account has been applied for or opened. For this kind of ID theft, only a security freeze offers peace of mind.”
The report goes into explanations of the threats from the tsunami of recent breaches, including Blue Cross plans, the IRS, and more. We've also rolled out new "Prevent Identity Theft" and "Learn How To Place A Security Freeze" fact sheets, just click the report or news release links.
2) Why Chip, Not full "Chip and PIN" Protections on New Credit and Debit Cards? In my testimony last week before a hearing of the House Small Business Committee, I explained that the new chips on credit and debit cards will prevent account numbers from being transferred into merchant computers, which has made them treasure troves for data breaches, but that had we also added PIN technology it would also prevent imposters from using your card. We only upgraded half-way to Chip and PIN, I said, because "Chip and Signature" is best for the banks, but "Chip and PIN" would have been the use of best available technology, which would have been best for all the rest of us. After all, why have Canada and Europe been using Chip and PIN for over ten years?
3) Will Congress Preempt Strong State Privacy Laws Before It Goes Home? In my testimony last week I also explained that various data breach notice bills before the Congress would not only narrow existing state protections but also include a Trojan Horse preemption provision designed to overrides the states from ever enacting future data security or privacy rights. Perhaps the worst of these bills, HR 2205 (Neugebauer (TX)-Carney (DE)), may be approved by the generally pro-bank House Financial Services Committee as early as next week. Among its intentional infirmities:
- It eliminates strong privacy rules of the FCC and replaces them with weak FTC rules because the telephone and cable industry don't like strong rules.
- It weakens existing weak Gramm-Leach-Bliley Act data security rules that currently apply to financial institutions, then it imposes a higher set of responsibilities on others, such as merchants. Such a two-tiered system is unfair and can be gamed by firms with weaker responsibilities.
- As to its purported consumer benefits, the bill (and others) takes your existing state protections away and replaces them with weaker rights. Then, these rights are only "triggered" for breaches that cause limited financial "harms" and then only if the "risk of harm" is high enough. Keep in mind that under the bill there is another ludicrous proposition: the firm that was incompetent to protect your information gets to decide whether to tell you that they lost it. I discuss these problems in a recent blog that explains that the latest breaches have demonstrated that consumer harms are much worse and much broader than the narrow harms described in the bill. For example, in addition to financial identity theft, harms might include theft of medical services (myriad Blue Cross breaches), theft of tax refunds (online tax preparer and IRS breaches), and reputational harm, emotional harm and physical harm (as well any other financial harms) from the U.S. OPM breach of millions of security clearance files. HR 2205 eliminates state protections against these harms, according to any independent expert.
- Finally, the bill sweepingly preempts and prevents any future state data security or privacy protection efforts. To be clear: the bill provides only a modicum of token data breach responsibilities for firms and limited protections for consumers, only some of the time, but includes a vast Trojan Horse provision preempting the states from virtually any future data security activities while also eliminating existing protection or redress rights to compensate or protect consumers against most, if not all, of those broader harms under state law. Keep in mind that Congress rarely if ever completes a job, but increasingly it kow-tows to the demands of powerful special interests to take the states off the beat as a condition of enacting its halfway measures. When new problems arise, the states have shown time and time again that they can lead as first responders able to identify new threats and act quickly and innovatively to protect the public. Taking away that level of state protection leaves consumers, and the economy and environment, as well, vulnerable to to new threats.
4) Tomorrow I Speak at an FTC Workshop on Deceptive "Lead Generation" Practices on the Internet: A key part of the Internet advertising and data collection ecosystem is the non-transparent lead generation infrastructure. Consumers type "I need a loan" into a search engine and are directed to a site that looks like it gives loans. It doesn't. It asks questions about you, then "lead-scores" you and auctions you to the highest bidding online lender, usually a payday lender. The highest bidding firm is the one that thinks it can make the most money, not the one that could offer you the best deal. The worst bad guy lead generators will then also sell your name again, and again, this time not even to high-cost lenders, but to other bad guys. Our position, however, is that all lead generators, including legitimate ones, need better regulation and more transparency. Our latest report on lead generation is here. Check out all the materials of our project on Big Data and Financial Opportunity.
5) ICYMI: We Ask CFPB "How Did Experian Lose All Those T-Mobile Customer Files Anyway?" In Washington, you don't have to make this stuff up. It writes itself. Just a few weeks ago, a subsidiary of Experian, the credit bureau with files on 200 million Americans, had 15 million T-Mobile customer and applicant files breached. Here's a link to our request for a CFPB investigation.
Anyway, we're doing what we can to help you protect yourself and to help regulators and Congress understand threats to privacy and what to do about them. I hope that this roundup gives you an idea of we're up to (and what we're up against).