Privacy Rights Clearinghouse
In this issue . . .
Beginning with the ChoicePoint incident in mid-February, almost five million consumers nationwide have been affected by some sort of data breach in the past three months -- whether as a result of hacking, lost or stolen backup tapes, stolen computer or laptop, compromised passwords, a dishonest employee, fraudulent access to data broker services, or otherwise. We have posted a chronology of these data breaches on the PRC web site at http://www.privacyrights.org/ar/ChronDataBreaches.htm .
If you learn of a data breach that’s not noted on our budding list, please let us know by using our inquiry form [Jan. 2007: The PRC's online inquiry form  is now inactive].
On a related note, according to the National Conference of State Legislatures (NCSL), 32 states have introduced legislation this year that would require businesses that experience a data breach to send a notice to those affected. To date, six of those states have passed security breach notification laws. In addition to California’s existing law, security breach notification legislation was passed into law in Arkansas, Georgia, Indiana, Montana, North Dakota and Washington.
For more information about security breach notification legislation, visit the NCSL web site:
In addition, legislation has been introduced in Congress to afford consumers better protection against identity theft, data aggregators, and security breaches. See Senate bills 500, 751, and 768 and House bill 1069 at http://thomas.loc.gov .
The typical online information broker makes directory information, for example, from phonebook listings, available at no charge, but then charges a fee to obtain additional information from public records sources such as property records. The newest company to enter the scene is ZabaSearch.com. According to the company’s web site, ZABA is from the Greek word, "tzaba", which means, "free" or "at no cost." True to its name and unlike the others, ZabaSearch makes limited public records information available to anyone free of charge. They even provide access to a satellite image of residential addresses obtained through property records.
Several people have contacted the PRC to complain that their unlisted number is available on ZabaSearch.com. They are angry that their phone number is no longer private and wonder how ZabaSearch obtained their unlisted number. We don’t have a clear answer, but here’s our best guess: Often, such sites get their data from public records, but in general if you give out personal information without the written assurance that it won’t be sold or shared, it’s usually not protected by law. According to ZabaSearch.com, some of the information they post comes from postal service change of address forms and subscription information. Their web site further states, “credit card companies, banks, financial institutions and government agencies share or sell your information unless you specifically request that they do not distribute it.”
We, of course, think things should be just the reverse – that your personal information should not be sold or shared until and unless you give your affirmative consent. This is known as “opt-in.” But until stronger privacy laws are enacted in the U.S., we advise that you take advantage of as many opt-out opportunities as you can. Read our Fact Sheet 1(a), which lists several opt-out opportunities: http://www.privacyrights.org/fs/fs1a-basics.htm .
Also write to your state and Congressional legislative representatives about the need for opt-in privacy laws. In addition, file a complaint with the Federal Trade Commission (FTC) which needs to hear your concern and outrage about online information brokers that post your personal information. Go to the FTC’s home page at http://www.ftc.gov  and click the link in the upper navigation bar for File a Complaint. Contacting the FTC is especially important if you have problems opting out with web sites that say they allow you to do so.
The PRC web site offers instructions on how to opt out of several online information broker web sites, including ZabaSearch.com, at http://www.privacyrights.org/ar/infobrokers.htm . Be sure to read the caveats first. These opt-outs are very limited in scope.
For more information about ZabaSearch.com and the controversy surrounding this online information broker, see the following articles:
* It's Impressive, Scary to See What a Zaba Search Can Do -- San Francisco Chronicle
* Your Identity, Open to All -- Wired News
* Can We Stop ZabaSearch? -- FindLaw Write: Legal Commentary
Previous issues of this newsletter have discussed the availability of public records on the Internet and the implications for personal privacy:
Seniors are frequently the targets for telemarketing and sweepstakes scams. But what happens when a senior falls for a Canadian lottery scam? Marian (not her real name) contacted the PRC about just such a scam. She had been told she was a winner of a Canadian lottery.
Marian told us she deposited the check for her supposed lottery winnings into the Bank of America account she’d had for decades. When the check was posted to her account and she was told by a Bank of America representative the check had cleared, she did what many people would do -- she spent the money. Days later, the bank realized the truth of the matter: The check was in fact counterfeit. The bank quickly removed the funds from Marian’s account, leaving her with unpaid fees and bounced checks. They also cancelled her account.
The bank then reported derogatory information to ChexSystems -- showing she had a history of insufficient funds and suspected fraud activity. Marian was unable to open another bank account. Dependent on her monthly Social Security benefits, which previously had been automatically deposited into her Bank of America account, she was in a bind.
The PRC contacted Bank of America on Marian’s behalf, asking that they remove the negative information from her ChexSystems report because she was clearly a victim of a crime. They agreed to do that. What helped, we think, is that in the meantime, the FBI was able to crack Marian’s case and bust the crooks. And, though Bank of America will not let this long-standing customer open a new account with them, she subsequently was able to open an account with her local credit union.
According to the victim specialist in the FBI office with whom we spoke about Marian’s situation, this type of scam and the impacts on victims like Marian are not all that unusual. Marian’s case raises several questions. Should banks allow deposits to be posted to a customer’s account even if they have not actually cleared? Hasn’t the implementation of Check 21 and electronic banking made it easier for banks to detect counterfeit checks quicker?
What can be learned from Marian’s story? First, any offer you receive that promises to give you money for free or for a small upfront fee is a scam, plain an simple. We urge you to never give out any personal information to an unsolicited caller. If you want to know how to sign up for the National Do Not Call Registry or would like tips on how to file a complaint about a scam artist who calls you, read the PRC’s Fact Sheet 5, Telemarketing: How to Have a Quiet Evening at Home at http://www.privacyrights.org/fs/fs5-tmkt.htm .
Second, it pays to know about ChexSystems. It is a nationwide “specialty” consumer reporting agency that collects and maintains information from member financial institutions such as banks and credit unions. As happened to Marian, if a bank closes your checking account because of insufficient funds, for example, it will make a report to ChexSystems that other banks will check when you apply for new accounts. As of December 2004, federal law enables consumers nationwide to access to their check writing history report and dispute any inaccurate information it may maintain.
If you have experienced any problems involving a bank account, including check fraud or identity theft, be sure to order your ChexSystems report. For more information, see the PRC’s Fact Sheet 6(b), The “Other” Consumer Reports: What You Should Know about “Specialty” Reports at http://www.privacyrights.org/fs/fs6b-SpecReports.htm#7 .
The Federal Insurance Deposit Corporation (FDIC) is hosting symposiums across the nation on “phishing” and account hijacking in the coming months.
The FDIC symposiums include presentations by experts from federal and state government, the banking industry, consumer organizations, and law enforcement. They discuss current efforts to combat phishing and account hijacking and will provide advice on ways consumers can avoid scams that can lead to account hijacking and other forms of identity theft.
The dates of the remaining symposiums are:
* Friday, June 17, 2005 - Los Angeles, CA
* Thursday, September 22 - Chicago, IL
In December 2004 the FDIC released its study, Putting an End to Account-Hijacking Identity Theft, available online at http://www.fdic.gov/consumers/consumer/idtheftstudy/index.html .
Key findings of the FDIC’s study are sobering:
* While precise statistics on the prevalence of account hijacking are difficult to obtain, recent studies indicate that unauthorized access to checking accounts is the fastest growing form of identity theft.
* Nearly 2 million U.S. adult Internet users experienced this fraud during the 12 months ending April 2004. Of those, 70 percent do their banking or pay their bills online and over half believe they received a phishing e-mail.
* Up to 5 percent of the recipients of spoofed e-mails respond to them.
* An estimated 19 percent of “those attacked” have clicked on the link in a phishing e-mail. Most, if not all, large financial institutions and electronic bill-paying services (such as PayPal) have been hit with phishing attacks.
* Because many phishing attacks originate overseas and because the average life span of a phishing web site is 2.25 days, the sites are hard to shut down.
For more information about the FDIC symposiums, see:
For more information on phishing in general, see:
To subscribe to our free email newsletter, go to www.privacyrights.org/subscribe.htm