Posts Tagged ‘Privacy’

Getting Sick from Medical Identity Theft

Thursday, July 1st, 2010
Feeling Confident?

Feeling Confident?

Just when you think that the electronic society couldn’t become more inhuman, the U.S. Federal Trade Commission, our over-burdened consumer protection agency, alerts us to signs of medical identity theft:

  • You are billed for medical services that you never received.
  • A debt collector contacts you about medical debt you don’t owe.
  • Your credit report shows medical collection notices that are unfamiliar to you.
  • Your health insurer denies your legitimate claim for medical benefits, stating that you have reached the limit allowed under your plan.
  • You are denied insurance coverage because your medical records reveal a pre-existing condition that you don’t have.

Misuse of your identity can arise from dishonest staff in medical offices filing fraudulent insurance claims with your information or someone has been using your insurance information to obtain medical treatment, which can harm your health as well as your finances. The imposter’s medical information, such as his diagnosis of his condition, may appear on your medical record, exposing you to the risk of improper treatment, possibly leading to injury, illness or death.

In addition to being vigilant about protecting your personal documents, examine your explanation of benefits sent to you each time your insurer pays a claim on your behalf. I used to discard those without reading them. I don’t do that any more; now I look at them carefully and when I discard them, I use a document shredder.

Be Careful About Your Information

Monday, May 18th, 2009
Each One Adds Up

Each One Adds Up

I had advised that small business owners should write to each of the publications to which they subscribe advising that your name, address and other contact information should not be shared with third parties. The idea is to reduce the amount of time that telemarketers can waste. This will improve your productivity in normal business operations. It will also help you to focus on critical communications in the event you are disrupted by a disaster. Spam, telemarketing and unwanted solicitations become more than a nuisance when you are operating from a remote location and trying to deal with a serious disruption to your business. I recently had the experience of receiving persistent calls from a telemarketer who played coy in response to my question as to how he obtained my personal information.

Business that seek contracts with the U.S. federal government are required to register with Dun & Bradstreet, which I did for my own small business when I was responding to a Request for Proposals of the U.S. Agency for International Development. As my registration was a matter of some urgency in order to ensure that I would meet USAID’s deadline, I gave my cell phone number to Dun & Bradstreet solely for the purpose of processing  my registration.  Unbeknownst to me, Dun & Bradstreet re-sold this information to third parties. I began to receive telephone calls on my cell phone from Fortune 500 companies seeking to sell products and services that are totally inappropriate for my small business. Ordinarily I would switch off my cell phone in business meetings out of courtesy to the others present. But as I would explain to other participants at the beginning of each meeting, my circumstances were not ordinary. As my mother was recovering from a traumatic brain injury, I needed to ensure that I could be reached at all times. Since that was the only use of my cell phone, you can imagine how my heart would race and my palms would sweat whenever that phone would ring. And you can further imagine my fury that the calls were unwanted solicitations. When I traced the source of the calls, I notified Dun & Bradstreet in writing that my information is not to be sold to third parties and I wish to be placed on their internal “Do Not Call” list. You should do the same. I think it is an appalling practice that D & B would re-sell this information without the consent of the small business owner, facilitating the abuse and waste of our time. It is particularly offensive to me because we are a captive audience, required to register with D&B if we want to bid on government contracts. Stop the abuse; notify them to keep your information private.

Data Warehousing and the Lifecycle of Information Management

Monday, March 30th, 2009
How Much Is Too Much?

How Much Data Storage Is Too Much?

The lifecycle of information management refers to the determination of which information and data your small business must preserve and protect and over what period of time. It is not productive for any small business to secure and back up information that has become obsolete. (It also raises the risk of human error, as your employees may inadvertently work with files that have aged out of use!) This requires some discipline for properly disposing of out-of-date electronic files. As you develop a strategy for lifecycle information management, here are some of the issues you should consider:

Liability management. The more sensitive customer data you store, the greater your liability for a breach of data. The news media report that computer hackers may have accessed up to 100 million customer records of Heartland Payment Systems, a credit card processor. They are not the only payment processors to report possible data breaches; RBS Worldpay and CheckFree have also been exposed, as has, an employment site. These breaches are costly: $202 per compromised customer file, according to the Ponemon Institute, an organization that researches and consults on privacy and information security matters. What accounts for this cost? Customer attrition is one source of loss, as Ponemon found that health care businesses lost 6.5% of customers and financial businesses lost 5.5% of customers after data breaches. In addition, after a data breach, the affected company must undertake expensive security and legal procedures to deal with the intrusion and offer, at its expense, credit monitoring services to the customers whose data may have been compromised. In some states, there is a legal requirement to offer such a remedy; in all cases, it is a good business practice.

Marketing needs. Customer data may be a valuable asset for new product development, customer retention and customer acquisition. At the recent Information Security Best Practices Conference held at the Wharton School of Business of the University of Pennsylvania, marketing professors Eric Bradlow and Peter Fader discussed the conflicting needs of liability management versus marketing needs. As personally identifiable data are increasingly a liability for companies, Professors Bradlow and Faber recommend a “data minimization” strategy: keep the customer data your business needs for competitive advantage and purge all other data. Too many businesses, they believe, are data pack rats, storing information that serves no marketing purpose.

Legal and compliance requirements. Your business may be subject to certain legal or regulatory requirements for preserving data over a certain period of time. It is best to seek advice from legal counsel when developing your lifecycle information strategy.

Lessons Learned the Hard Way

Tuesday, January 20th, 2009
A Letter You Prefer Not to Receive

A Letter You Prefer Not to Receive

My earlier posting summarizing the lessons an attorney learned the hard way about identity fraud elicited strong response from readers, many of whom preferred to share their experiences by means other than direct posting. This attached image shows a scan of a letter one reader received from the Bank of New York Mellon, which is the custodial bank for his retirement savings account. As you can see, I have redacted the personal identifying information to make sure another misuse of private data does not occur. The letter advises that bank’s archive services vendor lost computer tapes containing personal client information when transporting them to an off-site storage facility. If you double-click on this image, you can read the letter for yourself. Obviously, this is a letter you prefer not to receive, but note that the bank acted proactively to offer free credit monitoring services to the clients who may have been affected, although they had no reason to believe that this information had been misused in any way. As the previous blog entry indicated, one unlucky attorney learned how important this service is. Should you find that any of your personal data may have been compromised, request that the vendor provide this service to you at his expense. And of course, should you ever experience a compromise of the security of your client data, offer to do the same for your clients.

In addition, Cliff Ennico, who is NOT the attorney whose advice I summarized in the earlier blog posting, offered some useful suggestions of his own for information you will need to have readily available in the event of an emergency. I have attached the link here.

Finally, I wanted to add a suggestion of my own. I had an issue with identity fraud when the previous tenant of an apartment I had purchased continuously updated her mail forwarding. By unhappy coincidence we shared the same last name, so that much of my mail was re-routed to her in another state. This mail included frequent flyer statements from the airlines on which I travel (which I now receive electronically rather than in paper form). As a “courtesy” to me, the airlines automatically updated the mail forwarding information with this woman’s address. I only learned of this matter when I called an airline to request frequent flyer awards and was told that they could only mail the tickets (back in the days of paper tickets) to the address on file for me, which was in Tennessee. When I protested that I lived in New York, not Tennessee, the whole issue of the improper mail forwarding came to light. The airline staff advised me to instruct them in writing not to automatically update my account address for mail forwarding unless I specifically request in writing that they do so. I did the same for some of the online and catalog merchants from which I often order products, as they also use mail update services as a “courtesy” to customers whose mail has been forwarded. It is a sad lesson, but vigilance pays.

An Attorney’s Advice – No Charge

Monday, January 19th, 2009

An attorney friend of mine recently had a horrible experience following the theft of his wallet. He sent me the following advice with the request that I post it for you. To minimize your potential losses from credit theft, he recommends the following:

“1. Do not sign the back of your credit cards. Instead, put “photo identification required.”

2. When you are writing checks to pay on your credit card accounts, do not put the complete account number on the “memo” line. Write only the last four numbers. The credit card company knows the rest of the number, and anyone who might be handling your check as it passes through all the check processing channels should not have access to it.

3. Put your work phone number on your checks instead of your home number. If you have a post office box use that instead of your home address. If you do not have a post office box, use your work address.  Never have your social security number printed on your checks. You can add it if it is necessary. But if you have It printed, anyone can access it.

4. Place the contents of your wallet on a photocopy machine. Do both sides of each license, credit card, each piece of identification in your wallet. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Keep the photocopy in a safe place. I also carry a photocopy of my passport when I travel either here or abroad. We’ve all heard horror stories about fraud that’s committed on us in stealing a name, address, social security number, credit cards. Unfortunately, I, an attorney, have firsthand knowledge because my wallet was stolen last month. Within a week, the thieve(s) ordered an expensive monthly cell phone package, applied for a Visa credit card, had a credit line approved to buy a Gateway computer, received a PIN number from the Department of Motor Vehicles to change my driving record information online, and more.

5. We have been told we should cancel our credit cards immediately. But the key is having the toll free numbers and your card numbers handy so you know whom to call. Keep those where you can find them.

6. File a police report immediately in the jurisdiction where your credit cards, etc., were stolen. This proves to credit providers you were diligent, and this is a first step toward an investigation (if there ever is one). But here’s what is perhaps most important of all (I never even thought to do this):

7. Call the three national credit reporting organizations Immediately to place a fraud alert on your name and also call the social security fraud line number. I had never heard of doing that until advised by a bank that called to tell me an application for credit was made over the Internet in my name. The alert means any company that checks your credit knows your information was stolen, and they have to contact you by phone to authorize new credit. By the time I had been advised to do this, almost two weeks after the theft, all the damage had been done. There are records of all the credit checks initiated by the thieves’ purchases, none of which I knew about before placing the alert. Since then, no additional damage has been done, and the thieves threw my wallet away this weekend (someone turned it in). It seems to have stopped them dead in their tracks. The following are the numbers you always need to contact when your wallet, credit cards or other personal identifying information been stolen:

  • Equifax: 800-525-6285
  • Experian (formerly TRW): 888-397-3742
  • Trans Union : 800-680-7289
  • Social Security Administration (fraud line):800-269-0271″