Manage updates with the Download App
The members of News.com's Roundtable panel have agreed to have a discussion with News.com editors and our readers. Although we cannot guarantee a response for every e-mail, you can submit your questions for panelists here.
Click here to return to the main resources page.
Friday: Driver's licenses and next steps
From: Jim Harper
Subject: California's attempt to reduce ID fraud: any statistics?
Thu, 27 Oct 2005 14:40:31
The urge to try to pick the right security practices is natural, especially among smart, interested people. But we are talking here about writing general rules that will be applied over the indefinite future. Is it possible to right a rule now about when encryption should be used in all the future contexts that may arise? What about the quality of encryption that must be used? I think the consensus is that it's impossible.
Better to write a rule at a higher level of abstraction, one that focuses on what we really want: consumer protection. The imposition of proportional liability for harming a consumer through data breach puts the encryption decision with the party closest to the problem--the data holder--and puts the risk with the data holder for getting it wrong.
Apropos of Sen. Simitian's comment, I would also argue for placing liability on public sector actors - including government officials in their personal capacities--to get the incentives right. Otherwise, an agency may breach and pay out taxpayer dollars in compensation, but that means little to the people in the agency making decisions.
Sen. Simitian cites his A.B. 1219 as a response to criminal identity fraud. I would be curious to know how many times it has been used since it was enacted three years ago. Senator, did you hit your target?
Also, I'm still curious to know whether A.B. 700 has reduced identity fraud in California. Senator, any statistics?
From: James Van Dyke
Subject: Self-regulation by industry groups
Thu, 27 Oct 2005 14:52:00
In the debate on the need for and design of regulation, we must consider the existence and efficacy of what is effectively self-regulation. Effective regulation need not be solely the product of government entities. Financial industry bodies such as Visa, BITS, and NACHA act to create, implement and occasionally even strongly enforce standards of behavior on the part of their members with regard to the handling of customer financial records.
For example, CardSystems, a processor of payment card transactions for merchants, disclosed that millions of consumer records were exposed, and subsequently were met with plans for network excommunication by Visa and American Express (which will likely be their death knell). Regulation makes the most sense when individual self-interest is not in line with the greater good. However, in a well-organized industry such as financial services, government entities need not be the sole source of regulation.
From: Orson Swindle
Subject: Re: Self-regulation by industry groups
Thu, 27 Oct 2005 14:55:41
Amen!
From: CNET News.com
Subject: Driver's license data and legal fix recommendations
Fri, 28 Oct 2005 07:30:57
One of our readers, Amy Smith, posed this question to the panel:
My question to the panel is what gives a state government agency like the DMV the right to sell my data? I just went to renew my drivers license and no where on the form did I see a disclosure that my data might be sold for commercial purposes nor am I given the right to "opt out" if they choose to do so? Is this legal, and if not, what are the implications to agencies and data acquirers?Any thoughts on how the federal "Driver Privacy Protection Act" has worked in practice?
Also, since it's our last day for this roundtable, I wanted to thank you again for participating and ask you what the most important legal fix would be to help reduce the likelihood of identity theft. Is it security breach notification laws, regulations of so-called data brokers, etc.?
From: Chris Hoofnagle
Subject: Re: Drivers license data and legal fix recommendations
Fri, 28 Oct 2005 08:08:26
Amy Smith asks, "what gives a state government agency like the DMV the right to sell my data?"
The federal Drivers Privacy Protection Act has prohibited this practice since 1998, unless the individual opts in to the sale. At least one state (Florida) didn't implement the law until this year. So that might explain it.
The question reveals an attitude that speaks to individuals' anger about privacy. "What give them the right," is something I hear pretty frequently. The answer is that they can collect your data and use it for almost any purpose unless there is privacy legislation protecting both the data and the context in which it is collected.
There is a pretty strong correlation between invasive practices and self-regulation. And while legislation isn't always perfect, it is privacy law that shields your television records from being collected (Cable Communications Policy Act), your video rental records from being sold (VPPA), and your cell and wireline phones from ringing. If you look at the fields where self-regulation controls, you'll find that your data is being sold to anyone, even criminals, for almost any purpose.
In practice, DPPA has been mediocre. While it did cut off driver's information for commercial purposes, there are 14 exemptions to the law. It is underinclusive in that it only protects your driver record, and so marketing companies now try to get your data from your drivers license (ever had your licensed "swiped"). Even if a bar/car rental company says that they are swiping your card for security purposes, in most states, they can keep all of the data captured from it and use it for whatever purpose they see fit.
EPIC has done quite a bit of work on the DPPA, and we recently filed an amicus brief in an 11th Circuit case where we successfully argued that default or "liquidated" damages are available under the law.
As for the most important legal fix for identity theft? I'm for credit freeze. If individuals had more control over their credit reports, it would be less likely that identity thieves, pets and toddlers would be issued credit cards.
Have a nice weekend!
From: Orson Swindle
Subject: Re: Drivers license data and legal fix recommendations
Fri, 28 Oct 2005 9:00:36
Amy Smith's dismay is shared by many, I suspect. The U.S. Code is pretty clear, yet I am sure there are those who see loopholes through which they can continue this practice. Does anyone have idea as to the magnitude of this practice in revenue terms as a state government "profit center"? For those who believe government should intrude big time and is best suited to solve the identity theft problem with new laws and regs, might this driver's license data situation (where a government entity is allegedly not following the law) be lesson about the ability of the government to get it right?
As to News.com's last question, a couple of comments:
The Safeguards Rule has esssentially been expanded beyond its original scope by BJs Wholesale Club case. There is a new universe of data users who are not familiar with compliance requirements envisioned in the Safeguards Rule. Congress will likely move on this, but slowly, then there are rules to write. The Center for Information Policy Leadership will provide some rational thoughts to mapping out what needs to be done to cope with Safeguards Rule requirements, expanding existing Rules, and meeting responsiblities for protecting sensitive information.
Second, law enforcement, such as the FTC, needs and has requested more flexibility in cross-border fraud investigative work that will require the ability to share information across borders with law enforcement agencies. Current restrictions often stand as impediments in tracking down the culprits when they are offshore.
There must be greater attention given by CEOs and Corporate/Organization Boards to information security and privacy obligations. These functions need to move obscurity to the boardroom in significance. The concerns are not going away. Those who invest in better information security practices (in terms of resources and attitude) will gain competitive advantage and those who fail or refuse to do so will suffer much harm as they allow their customers, cliets and consumers to be harmed.
General public awareness must be enhanced--constantly. Think of the process of making users of information technology more aware of their responsibilities and vulnerabilities as a journey, not a destination. We must keep this dialogue going, inform the lawmakers, increase private sector leadership, and make sure the public understands how important safe computing practices are for our future.
I look forward to working with you all in my capacity as Chairman of Information Security Projects at the Center and from my new relationship with The Progress & Freedom Foundation.
From: Joe Simitian
Subject: A defense of California's data-security laws
Fri, 28 Oct 2005 13:58:39
Lots of ground to cover today.
Jim Harper asks about the level of use of AB 1219 in California to help mitigate the impact of criminal identity theft. Honest answer is: I don't know. After three years on the books, this would be a good time to assess whether the statute has been put to good use.
As to the effectiveness of AB 700/SB 1386--we'll never know for sure what steps informed consumers have taken, or with what effect, in the aftermath of a data security breach. Perhaps more importantly, we do know that in response to AB 700/SB 1386, the private sector has taken steps to improve security and avoid the problem altogether.
Prior to the July 1, 2003 implementation of AB 700 I met in Los Angeles with 200 data security breach experts from around the country at a conference organized, in part, by the U.S. Secret Service. They were ramping up new protections to help their clients avoid a breach and subsequent notice requirement. I later heard quite a bit about folks along the Route 128 corridor around around Boston (where there is apparently significant expertise in this area) ramping up their efforts.
So, we'll never know what breaches were avoided; but we do know security was improved in direct response to the legislation.
As to the provocative question of the day (i.e., what's the single most important step we could take?), I'd like to suggest we think big on this.
We need a fundamental change in our thinking about who our personal information belongs to. Does it "belong" to anyone who happens to have it? Or does it belong to each of us individually? If we took the view that our personal information is our own, and that each of us is entitled to control the manner in and extent to which it is used, the privacy world would look quite different.
the first thing I want to know is whether the data was encrypted;
and that's the one thing the news story never mentions.
The text of SB-1386 makes direct reference to encryption (or lack thereof) as a key indicator of whether a firm is obligated to notify. I would like to know the following:
1. why and where you think encryption is important for safeguarding sensitive information? Given the fact that most data theft occurs "offline" (eg the laptop that was stolen from BofA), my perspective is that all these laptops and PDAs should have full-disk encryption.
2. What do you think of Senator Feinstein's attempts to introduce data privacy laws at the federal level? She seems to be championing the CA laws but has now thrown her support at the Specter-Leahy bill.
3. I know you are a state legislator, but do you support the Specter-Leahy Bill (Data Privacy and Security Act of 2005) as an effective measure against ID theft? Why or why not? To me, it appears to be a strong and comprehensive measure.
Someone may have the student records, patient records, etc.. and just may not have found the right buyer on IRC yet. Or maybe someone bought the data and is sitting on it to make people think that nothing happened with the data until they get a chance to use it.
I know someone whose "card" was used to withdraw cash from an ATM while the card was really in his wallet at home with him. The bank didn't believe him and haven't repaid him.
The way they do it is that they glue a little gadget on an ATM on the slot where you put in your card. When you insert the card it records the data on the magnetic strip, and a small camera records you typing your PIN. Then they can produce a card with the same data and use your PIN to withdraw cash.
The real problem is not having to type a PIN. If a cashier wants to still your credit card number she can also get your PIN with a bit more effort. The real problem is the concept that giving a number or some kind of data that never changes can be used as proof of identity. It could be used so in the past when it was hard to collect and correlate data. No more. Now everything is connected to one big net and the information can be collected and correlated. When you make a purchase with a credit card you give a number, a name (and a security code that used to be something merchants didn't collect, but they do now) or some other info. Whoever gets this info can use this info to make purchases anywhere using your line of credit. It worked and still works because the percentage of fradulent use is small enough to insure profitably. When the percentage of fraudulent use will reach some low threshold that would make insurance unprofitable this business model will collapse. What is needed is a different model, where the credentials given when making a purchase are only used for that one particular purchase, i.e., can only be used by one particular merchant to charge one particular customer one particular amount on one particular date/time. This information cannot be sold because it is useless.
The same applies to any other kind of fixed data: the fact that someone can supply a name, an address, a driver's license number and an SSN, and perhaps some other identifying info does not mean that this someone is you. It used to mean that it is you. Not any more. With millions of computers taken over by criminals and information collected, and with the computation power crooks gain by combining the power of millions of zombie PCs into distributed supercomputers, large quantities of rich "personal profiles" can be assembled by crooks to provide what would in the past be considered a perfect proof of identity.
Different methods of providing proof of identity are needed - and are needed now!
from it - the banks and card companies take back the stolen money from
the merchants, they also take fees and charges as well, and they also
keep their commission from the fraudulent sale. Merchants - the
people ultimately paying for fraud - then have to put their prices up
to cover it (which in turn puts up the profits for the card companies
taking higher commissions from sales).
Since eradicating fraud will cut bank profits by billions of dollars,
it is us who are stupid to think that they would ever do so.
I wish to ask the following questions:
Encryption, firewalls, biometrics, multi-level authentication, etc.
Can they stop a bank officer who is legally authorised to access the bank's encrypted database from retieving customers' profiles on screen and copy the IDs off the screen? Afer all insider theft is one of the most common methods of ID theft.
Credit report monitoring
This service is not going to reveal that your ID has been used by a criminal or illegal immigrant to apply for a job, rent an apartment, get married, buy a mobile phone, subscribe to the internet, apply for a new driving license, etc.
Paper Shredders
If you shred every piece of paper in your house, from your wallet, from your office desk, and replace your letter box with a paper shredder, can you stop a criminal from stealing your ID located at the many application forms, computer records located in hundreds of filing cabinets and databases at hudnreds of offices around the country?
ID Legislation
We are presently seeing an unfolding story of top officers in the country leaking sensitive employee data .. would a criminal with a long criminal history be concern about being slap on the wrist for stealing an ID?
Legislation to shred all sensitive office document.
The law might require every office to shred papers containing customers' IDs but what is to stop the person in charge of the shredder from copying those IDs before he shred the papers?
It all seem like the encryption software vendors, biometrics vendors, paper shredders sellers, credit monitoring services and politicians are out to make a quick buck and earn a vote or two.
By offering these socalled advice, tips and socalled security services, we are creating a false sense of security and as a result the public lets their guard down, making life easier for the criminals and ID thieves, shifting the responsibility and blame away from companies and create a lot of hot air.
Where are the real experts?
A false sense of security is worse than no security at all!
lose time and money when they must close accounts and establish
new accounts when personal data is compromised by companies with
whom they do business.
When my brokerage reported that they had lost backup files of
their customer database, I had to establish a relationship with
a new brokerage, setup new accounts for trading, each 401k, each
IRA rollover, etc. as well as execute dozens of documents to
effect the transfer of assets. This process took several weeks
at a significant cost of time, money and the ability to trade
even though no indentity fraud occured.
Both my PayPal and my Ebay accounts were hacked and I cancelled my accounts with them as well. Fortunately PayPal notified me just as the bank and credit card companies did, and I lost no money. However cancelling accounts is no solution to an epidemic problem.
Since then, they have hacked my Classmates password, (I had to cancel it also as it provided a host of information), and they continue to hack my Hotmail account on a daily basis in order to use my account to send spam containing trojans.
I change my sixteen digit Hotmail password almost on a daily basis, and I have notified Microsoft about the problem at least three times, yet the attacks continue. They force hack my account and Microsoft seems powerless or unwilling to stop it. I have determined that the hackers come from Brazil, Germany and Russia.
The most recent disturbing attacks have been against my online banking account. Fortunately Chase notified me of the problem and I've changed from an eight digit to a thirty two digit password. They tried again and I've had to change the thirty two digit passward once, but Chase has been responsible about their security and those attacks have ceased for the present.
This has gotten completely out of hand. Their must be some reliable form of biometric passwords that will foil hackers once and for all. Perhaps a rock sold secure central location of fingerprints or finger blood vessels that Hitachi just developed? Or maybe life in prison terms for thousands of hackers who steal other people's livelihood and are ruining the Web's commerce? Quite frankly, I no longer make web purchases other than my online banking service. I'm sure millions of others have stopped also.
I would like to see some really secure proposals out there folks. I don't think we can wait for point of light defense and I'm not sure how that would work for secure logging on to other sites. Any suggestions?????
They used to give away toasters with every accout opened and they can afford to give fingerprint or iris readers to account holders who wish to access their account online. No body = no banking.
This whole discussion stems from recent thought that if the financial industy were made 100% responsible for all aspects of identity theft the problem would be solved overnight. This is basically an attempt to blame everyone else for the problem. I see no reason why fingerprint ID could not be encoded into credit cards and be mandatory. I see no reason you couldn't go to your local law enforcement agency and verify you identity then place a stop payment on every transaction by anyone who uses your identity to purchase anything without your thumb print. A few people may loose their thumb, however the attacker will be know and not in some corrupt foreign land which protects him.
<a class="jive-link-external" href="http://www.theregister.co.uk/2005/10/26/419_cyber-cafe_rumpus/" target="_newWindow">http://www.theregister.co.uk/2005/10/26/419_cyber-cafe_rumpus/</a>
It's about time that the entire civilized world shuts down and monitor all monetary transactions to Nigeria. Sure you may somehow steal my life savings, however you'll never see it sent by the financial industry to Nigerian soil.
Tough-on-crime approaches are pointless if the "other half" of the situation doesnt care, wont dedicate money and manpower, and doesnt find the crook. Pointless. So, until all the countries in the world work together on crimes like identity theft, child porn, espionage, or in your case, attempted ID theft, tougher prosecution and sentencing will be ineffective. And I personally dont see world-wide partnership and cooperation happening in this arena, but perhaps I am being cynical.
First of all, governments in other countries, especially places like Russia and Germany, could care less about enforcing any US computer/communication/internet laws.
Secondly, you, the victim, are in the US and the peratrator of the crimes against you is (possibly) located in Germany. How would you get to Germany to testify? Or how would the criminal be brough here? Who would pay? And would the price of the substantial inconveniences caused to you so far end up being much less than the cost of prosecuting someone for an offense that is so difficult to prove?
Third, the physical computer that hacked you might be located but you still have to prove who was at the keyboard committing the crime. How much more difficult does that become when it is determined the computer/criminal is really in Germany, Russia, or Pakistan?
Hackers can actually hi-jack another person's computer or website now, in order to do their spamming, phishing or farming. So the hacker may actually be sitting at a computer in Pakistan or Australia, using a german computer to do the dirty work for them. And I feel certain Pakistan could care less about computer crimes against the US either.
---------------Expert from CNetNews.com article:
Mideast hackers may strike U.S. sites, FBI warns
By Erich Luening
Staff Writer, CNET News.com
Published: November 2, 2000, 4:00 AM PST
"Due to the credible threat of terrorist acts in the Middle East region, and the conduct of these Web attacks, (Internet users) should exercise increased vigilance to the possibility that U.S. government and private sector Web sites may become potential targets," said a recent advisory from the FBI's cybercrime unit, the National Infrastructure Protection Center.
Some of the documented email attacks are believed to have involved customers of free Web-based email providers Yahoo and Hotmail.
Venzke could not give an exact profile of the typical hacker taking part in the current attacks, but he did say his company is aware of both sides having extensive recruitment campaigns at hacker conventions and on university campuses.
"In the near future, there will be a great number of people within these organizations with just technical training, separate from those with military training," he said.
"In the event that either side more actively utilizes viruses or Trojan horses, it is unlikely that infections will remain confined to their intended targets and are likely to pose problems for users around the world,"
The cyberwar, dubbed "E-jihad" by pro-Palestinians, was sparked last month by the violence in Israel.....
------------------------------------
Very few countries ever agree to do all of the investigative work required, track down leads, compile all of the evidence, arrest and detain the person, and take them to trial using their manpower and money in order to enforce US laws.
The point is, its frustrating and I felt just as helpless, mad, victimized, violated, and just as determined that something should happen to the person(s) who did this to me last year. Most police agencies would love, just as much as you, to track down and prosecute these individuals. Unfortunately, it happens rarely when 1/2 of the situation is outside the US.
The person who hacked me didnt get any money out of me either, thanks to my bank, a merchant, and my credit card company all working together. But I did learn through my own research that the person who did this to me used hotmail and was from pakistan, and probably was just as happy to have caused me, an American, a substantial inconvenience and loss of time, all for the sake of jihad.
It's happening to hundreds of thousands of people like you and me in the US every year. I found out during my research into my own situation, that it's not just our federal government who cannot afford to prosecute every case here. More surprising to me was the fact that my bank and credit card company were also victims of a crime in my situation but they both chose NOT to pursue their loss, they just covered it to keep me as a customer. This has become a common policy to maintain current customer and attract othwerwise wary ones. They write off their losses unless the crime reaches upwards of $10,000.00 in loss or more, per credit card victim. Otherwise, it would cost too much in manpower, resources, and money to prosecute. They simply "write it off" as part of doing business in today's world. This too must change, but it wont without worldwide cooperation and support. But dont hold your breath and dont blame the government entirely. The government and private industry agree that, in most small cases, it's just the reality behind having and using the "worldwide" internet.
So when you get on that soapbox, as I did, challenge the practices and policies of your own bank and credit card company as well. And how about Hotmail? You get what you pay for. And hotmail is free.
Another sad reality is that some countries even make it difficult or impossible to stop distribution of child porn. They wont stop and prosecute those involved in these overseas child porn rings either because this is actually legal in some countries and other countries will not pursue it.
Your reality is, you've been able to stay one step ahead of these yo-yo's and so have the credit card companies and banks you do business with, so far. You really do have it good compared to some victims who know too little about being the risks involved with logging on to the internet, or about risks involving one's personal information in general. So many people are still being dup'd into divulging personal information over the internet, or they are tricked into downloading a trojan virus that records their keystokes or remotely turns on their webcam 24/7. Now hackers can create authentic looking websites that trick people into logging on to the hacker's ficticous website for instance. Then the hacker can walk onto your computer through a back door and look at you or anything about you, any time they want.
So many people have internet access without also having additional firewalls, spyware protection, and virus protection software working for them as well. They just aren't aware of what's out there, or perhaps they think it just wont happen to them.
Have you checked your computer to see if somehow a backdoor trojan was inadvertantly downloaded? Have you checked to make sure you dont have a keystroke logger that's been plugged in? Anyone else have access to the computer when they visit you or your roommate at home? Have you taken your computer to someone for servicing?
Most importantly, do you have virus software and other protection programs installed?
Its like anything else in life- The best protection anyone can provide you is for you to depend on YOU. Always protect yourself and dont depend on others entirely. This means stay up with the game and stay educated. Its not hard these days with so much information out there.
The deadbolt on your front door only buys you enough time to call 911 or grab your gun- because the person kicking in your door will still get in by the second or third kick. Its what you can do to protect yourself that determines how much or how little the bad guy gets in the end. Reinforce your protection, have a plan, react quickly and know how to defend yourself. This seems like common sense and a "no-brainer" in the physical world but maybe it's time to apply it to your cyberworld since part of you lives in it through your bank, your credit cards, and because you communicate with others by email.
Lastly, you can also log your criminal complaint with the FBI's website dedicated to such crimes. It's called IC3 (formerly IFCC.) Once you file the complaint online, your local police department and the agency with jurisdiction of the criminal, will be sent a copy of the report you made. If the criminal is out of country.... that country probably wont a copy. Your report may become part of a larger crime going on with many people too. If your perpatrators are committing some large-scale, nationwide, thefts over the internet and the sum of all reports like yours hits a monetary threshold, the FBI may investigate. You never know.
You used the word fortunately in your email. You are indeed fortunate because the criminals have not succeeded an any of their attempts to steal your identity and take your money.
And Sharing your experience has surely helped at least one or two victims see they were not the only ones. And perhaps, one or two future victims will become more aware of personal risks and will take extra steps to prevent such an attack on them.
Good luck and be proud- they didnt get to you and they probably wont. Not at their level. But remain vigilant.. someone is always building a better mousetrap.
K
* Doctor's office
* Employer
* Land lord
* Car dealership
* Gazillion others
HOW CAN IT BE A SECRET? It cannot be by definition!
Same with Credit-card number. Every time you shop with it, you must disclose the secret.
Your "secret" credit-card number is known to hundereds, maybe thousands of organizations.
At the end of the day, the number of people that have access to your secret information is very large.
To make things worse, to get a credit card, nobody will need to see you! its all through the mail.
DL will not help much at all, there is no need for one more additional secret you need to tell everyone.
It's time to graduate from the flawed old systems and start employing strong cryptography, without any secret sharing.
<a class="jive-link-external" href="http://techtonic.blogspot.com/2005/03/security-breaches-not-anymore.html" target="_newWindow">http://techtonic.blogspot.com/2005/03/security-breaches-not-anymore.html</a>
other various online and offline scams rests solely in the hands
and minds of consumers. Not the Government at any level. Not
business or commercial enterprises, either online or offline. Not
through some unnamed standards body or clueless, stamped in
stone regulations.
The focus should be on the CONSUMERS who provide the ONLY
EFFECTIVE method of driving everyone else in this solution. As
some bright person once said, consumers want to feel secure, in
control and want what they want when they want it. Feeling
secure and being in control are suffering right now. Consumers
might just walk away without them. And Government,
businesses and commercial enterprises need to COMPLETELY
understand this reality.
Not all businesses and commercial enterprises are totally
clueless when it comes to taking that extra care of the
relationship they share with their valued clients and customers
both online and offline. Sure, a lot of businesses and
commercial enterprises just don't "get it!" But the businesses
and commercial enterprises that do GET IT are on solid ground
and growing profitably and steadily because not only do their
customers and clients keep coming back, they tell their friends,
neighbors and business associates with WHOM to do business.
My main point here is the same point that is echoed in most all
of the comments that have been posted thus far; customers and
clients are much more aware and concerned about ID Theft and
Scams than ANY governmental agency, business or commercial
enterprise. And if the customers and clients are not safe and
secure, in control and want what they want when they want it,
those same customers and clients move on to another location
that does GET IT!
I have studied ID Theft and Online/Offline Scams for more than
three decades. It is interesting to note that a certain segment of
the customers/clients population actually finds out about the
businesses and commercial enterprises that really provide the
highest level of customer service, provide security, product and/
or service guarantees. and hold the best interests of their
customers and/or clients in the highest regard. And those same
customers and clients tell their friends, neighbors, business
associates and just about anyone who is interested who those
outstanding businesses and commercial enterprises are!
It's called, "Word of Mouth" advertising; the most efficient, cost-
effective, reliable form of advertising ever imagined.
And that is precisely why after many decades of research, I
founded <a class="jive-link-external" href="http://www.cattboxx.com" target="_newWindow">http://www.cattboxx.com</a> so those customers and/or
clients could have a safe secure place to let EVERYONE who has
internet access know where to do business online and be treated
with respect and dignity in a safe, secure, guaranteed
environment. Customers and or clients do not have to depend
on some governmental agency to lead them in the right
direction (as if that were at all possible in the first place).
Customers and or clients do not have to engage in decades of
research to figure out how to be able to feel secure, in control
and want what they want when they want it from which
businesses and or commercial enterprises. Those same
customers and or clients are able to find out the REAL STORY
from other customers and or clients who have already made the
trip and have the free enterprise audacity to let other real, live
breathing human beings know what works.
And that is precisely why after many decades of research, I
founded <a class="jive-link-external" href="http://www.cattboxx.net" target="_newWindow">http://www.cattboxx.net</a> so businesses and commercial
enterprises who were trying to figure out HOW to reach out to
their customers and or clients in a respectful and dignified
manner could find the pertinent information at one location to
be able to adjust and correct their customer relationship
approach online with a more focused and effective manner. It's
not about some clueless CRM software that runs on some non-
human server. It's all about real live breathing human beings
from businesses and commercial enterprises relating directly to
real live breathing human beings who are interested in
purchasing goods and/or services either online or offline.
It's NOT about any kind of governmental regulations, because
even at best, governmental regulations move at the speed of
SMELL long after the situation is so messed up that NOBODY can
ignore the SMELL. Customers and/or clients are the parakeets in
the mine shafts that die FIRST when the breathable oxygen
becomes contaminated. In other words, you ALWAYS take care
of your customers and/or clients and your business or
commercial enterprise will continue to profitably grow and
prosper.
And if you are still skeptical, point your browser to <a class="jive-link-external" href="http://" target="_newWindow">http://</a>
www.cattboxx.com to find out what THOUSANDS of online
customers have to say about which businesses and commercial
enterprises are the ONLY ONES with whom to do business. Then
you will be able to more fully understand that this problem is
NOT that tough, but you will find out that it is indeed impossible
for me to make this so complicated that ANYONE could finally
GET IT!
At what point do consumers get the protection the law is supposed to impose? Has anyone at the FTC even checked on any of these companies to see if the consent order is being acknowledged or not? Sunbelt has about 400 offices in the South that fall under the requirement to demostrate third-party verification that they have implemented the required safeguards in all of their operations (mostly in Coldwell Banker offices). Where is the proof of this compliance? Lack of enforcement agents is not an acceptable excuse when these companies have agreed to get in compliance a certain date. It is neither cost-prohibitive nor an undue burden to these companies to implement a Safeguard Program, yet they are NOT BEING HELD ACCOUNTABLE??!!! Where is the public interest being served here?
In my opinion it is unfair to allow unsafe business practices to continue at the hand of companies that have clearly and willfully violated FTC law. My company provides affordable compliance management tools for businesses affected by the FTC Safeguards Rule (www.safeguardprogram.com), but because of lack of enforcement and awareness of the law I get resistance from the very companies who are REQUIRED BY LAW to have safeguards and best practices in place. They LAUGH at the suggestion that they will suffer any penalties for NOT having a Safeguard Program in place. Data Security Programs SHOULD be in high demand in light of all the recent security breaches and identity theft making the news this year.
I am aware of the proposed Data Protection and Security Act of 2005 and the implications for financial service providers, information brokers and non-profit organizations. The requirements of this law are almost identical to those of the Safeguards Rule, with notable additions and penalties for breach notification and non-compliance.
What assurance do we the Public have that this law will be advertised and enforced any better than the existing privacy laws? I beg this question on behalf of the American people.
-ceebee
service to enforcement of business practices.
It's tax season and throughout this country tens of thousands of tax-preparers are using professional tax prep software suppled
by the biggest consumer software company in the country. A
name we're all familiar with if we keep books quickly at home or
in a small business or if we do our own tax returns with turbo
speed.
Lamentably, this pro software only runs on Windows computers
using Administrator privileges, making them very susceptible to
malware infestations including keystroke loggers, trojans, etc.
I estimate a 99% rate of non-compliance with the FTC
SafeGuards Rule for this segment.
Similarly, physicians, who have HIPAA security compliance
mandates also, often select the best selling practice
management software package which also requires the user to
have Administrator privileges.
These two examples of poor programming practices were
designed in pre-internet days when the modem was the
method of filing returns or insurance claims and 16 or so years
later remain fundamentally unchanged.
As long as someone in authority, the government, doesn't tell
the end user some of the basic tests they should do to confirm
they're at risk, you'll be accused of being a fear-monger out to
get their money.
Testing for Admin privileges is usually as simple as seeing if you
can change the time on your computer. If you can, you're using
too many privileges.
It's a complex subject not easily put into sound bites and like
prostate or breast cancer, security is something we'd rather not
think about.
Congress is the appropriate target.
31 social security numbers and over 1/4 million in cash advances, fake loans, credit cards and no account checks while on probation and law enforcement with judge help covered it up.
google southdakotagov.info
31 social security numbers and over 1/4 million in cash advances, fake loans, credit cards and no account checks while on probation and law enforcement with judge help covered it up.
google southdakotagov.info
Vendors subscribe to services that record each time your banks loose some money due to ID theft and you get points added to your record!
It works in reverse the higher your risk score the more trouble you will have the next time you need to buy something, from flowers to a car.
So even if you never made a late payment, you could be denied a flower delivery for mother?s day!
You can?t even say you where a victim of Identity Theft, That alone could raise your risk score and you may end up living life in the 70?s having to do everything in person.
I was a victim, myself, found that USB device offered by someid.net and use it to give the vendors positive ID without having to worry about my risk score.