With the growing rates of ID theft and tax refund fraud, thieves have taken their crimes to even the state income tax level in order to make fast money. One state has implemented a computer system to help prevent tax refund fraud, but the end result has been a slower payout of as many as one hundred thousand refunds, a delay which is costing the state hefty penalties in interest.

New algorithms put in place on the state of Alabama’s revenue department computers are meant to catch inconsistencies that could red flag a refund, and the end result has been a slowing down of some of the state’s households’ refunds. While 1.85 million returns had been filed in 2014, only 1,063,768 had been issued by August.

So what happens to those citizens who are still waiting for a refund? The state of Alabama will allot a 3% interest on any unpaid refunds. According to Julie Magee, Alabama’s state revenue commissioner, the interest that the state will have to issue is a small price to pay for better security measures that prevent the loss of millions of dollars in fraudulent refunds.

Earlier this year, Alabama began the prosecution of a nine-woman tax fraud and identity theft ring in its state, one that specifically targeted soldiers and children by accessing their personal data through computer systems that stored the information. The criminals took in over $20 million dollars in fraudulent refunds, mostly of soldiers who were deployed to Iraq and Afghanistan, before they were caught. This type of crime has weighed heavily on the state’s revenue commission, who felt better security measures were needed.

While these measures are happening at the state revenue office level, the IRS is already scrutinizing its systems to prevent federal tax refund fraud. The problem has become so widespread that the IRS has paid out as much as $4 billion in a single year in fraudulent tax refunds to identity thieves.

Contributing to the delay this year was the fact that the federal government began processing federal tax returns about three weeks later than usual, but the state’s computer system enhanced that delay for an estimated 100,000 refunds. According to state law, interest must be paid on those refunds, but that’s an expense that the revenue commissioner feels is worth it to prevent refund fraud. Plans are already in place to restructure the algorithms so that next year’s refunds experience less delay.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

It’s one of the more difficult conundrums surrounding internet use: the more awareness and education about internet safety that works its way into the public consciousness, the faster the bad guys have to work to keep up. As organizations like the ITRC work to keep the public informed about some of the more dangerous behaviors and best practices associated with having an online presence, the more creative hackers and identity thieves have become in order to continue their crime sprees.

But new legislation proposed by US Senator Kirsten Gillibrand (D-NY) has been put forward as a possible solution to much of the worry about identity theft and financial fraud, especially as it pertains to the financial and retail industries. The bill, called the Cyber Information Sharing Tax Credit Act, would offer tax credits to businesses that participate in information sharing specifically as it relates to cyber threats and technology vulnerability.

The tax credit is meant to be an incentive to share information between companies, and will work to offset the costs associated with voluntarily participating in this type of group. It would essentially allow businesses to examine one another’s vulnerable practices and learn from previous incidents that have struck other companies and corporations.

According to a statement on the legislation on Senator Gillibrand’s website, the purpose of the legislation is clear. “Businesses should take the same precautions to defend their data as they do with their buildings and inventory. Just as they purchase insurance and security systems, they should enter into agreements with information sharing organizations to help defend against cyber-threats. From financial institutions and health care systems, to our electric grids and grocery stores, we are losing billions of dollars and putting our critical infrastructure at risk because of inaction. We must do more to strengthen our defenses online, and information sharing among businesses is a critical step that must be taken.”

How many incidents are we really talking about? Since the horrific incident on September 11, 2001, there have been more than 4,000 different large-scale security breaches on US businesses resulting in more than 500 million personal information records being accessed by criminals. Senator Gillibrand’s bill comes on the heels of the tenth anniversary of the 9/11 Commission’s report which showed that America is currently sitting at what they called “September 10th” levels for cyber security, meaning we’re all just one day—metaphorically speaking—from the next unthinkable attack. This time, however, experts believe the threat may be digital in nature and will have much farther reaching consequences.

Without waiting for a national response, a number of states have already explored their own versions of incentive programs for businesses within their states that are willing to share security information. Maryland is one such state, which earlier this year enacted its own tax credit up to $450,000 annually for participating companies that invest in recognized cyber security protocols to protect their consumers. Reports also indicate that other organizations are currently at work on better information sharing systems, especially between government defense contractors.

However legislation ends up affecting this kind of change, there is still a definite need for awareness and understanding of how to best protect yourself at the consumer level. While corporations will hopefully develop better standards and cooperation for preventing cyber attacks, it still remains the job of the individual to safeguard his personally identifiable information and keep his personal data safe through smart online behaviors and careful monitoring of his credit information.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

The Bipartisan Budget Act of 2013, signed into law by President Obama on December 26, 2013 will bring about significant changes to the way the Death Master File (DMF) is accessed by users.

Under Section 203, “Restriction on Access to the Death Master File,” the Secretary of Commerce is tasked with establishing a fee-based certification program for all persons desiring to access the DMF data within three years of the death of any deceased individual. Section 203 of the Bipartisan Budget Act of 2013 will take effect 90 days after its enactment in March 2014.

The DMF is often abused by identity thieves seeking to gain fraudulent monetary gain from the abuse of the identities of recently deceased individuals. The DMF contains highly sensitive, personally identifiable information which can be used in a myriad of ways by criminals thereby wreaking havoc on government agencies, grieving families and the economy as a whole. The DMF currently contains over 86 million records of deaths and includes the following personal information for each deceased individual if available: Social Security Number, name, date of birth, date of death, state or country of residence, and the ZIP code of their last residence. This is a virtual gold mine for an identity thief.

One example of how identity thieves use this information is to obtain a deceased individual’s personal information and use it to file a fraudulent tax return in the decedent’s name claiming fraudulent refunds. Not only does this steal money from our government in the form of fraudulent refunds, but it is devastating for a grieving family to have to go through the process of proving to the Internal Revenue Service that their loved one is indeed dead. This stalls the grieving process for the family, uses up valuable time of IRS employees and the deceased’s family, slows down the processing of returns for everyone, and enriches criminals at the expense of our tax dollars.

The fee-based certification program, under Section 203 of the Bipartisan Budget Act of 2013 will reduce this and other types of identity fraud by requiring user certification under Section 203(b)(2). To obtain certification, an applicant must:

  • Certify that he or she has a legitimate fraud prevention interest or a legitimate business purpose pursuant to law, rule regulation or fiduciary duty [Section 203(b)(2)(A) AND
  • Have systems, facilities, and procedures in place to safeguard such information, and experience in maintaining the confidentiality, security, and appropriate use of such information

In addition to creating the new certification process for access to the DMF, the Secretary of Commerce is also ordered to perform periodic and unscheduled audits of certified persons to determine their compliance with the DMF program requirements. While there are some who are concerned that the increased protection of DMF information will harm research or business that is dependent on the DMF, it is important to think of all the harm that occurs when the DMF is used for fraudulent purposes. We think this is a fairly balanced approach to the issue and appreciate the concern shown by our legislators for the victims of DMF related identity theft.

“Important Changes Regarding Access to the Death Master File for 2014” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

The Florida Senate Committee on Commerce and Tourism unanimously supported the Keep I.D. Safe (KIDS) Act this Monday, a bill designed to help reduce child identity theft in the state. Florida is a known hotspot for identity theft and fraud.

The Federal Trade Commission (FTC) compiles and analyzes complaints submitted to the FTC, the Internet Crime Complaint Center (IC3), Better Business Bureaus and other organizations by crime and state in an annual report titled the Consumer Sentinel Network Data Book. Florida has been listed by the report as the state with the highest per capita rate of reported identity theft complaints for the last four years in a row.

Children, and especially foster children, are vulnerable to identity theft because they are considered high value targets by identity thieves. Due to their lack of a credit report or history, they are blank slates that an identity thief can abuse for years before the child or parents ever find out. When the child first applies for a credit card, student loan or anything that requires credit, they discover all the fraud that has been conducted in their name and are denied the credit.

Child identity theft is detrimental to the child as it can postpone college due to student loan denials, gaining employment, purchasing their first vehicle, and accessing credit. This delay lasts however long it takes the child to dispute all the fraudulent activity and have them cleared from their credit reports, which can take months or even years.

During the announcement for the bill, Florida Commissioner of Agriculture and Consumer Affairs Adam H. Putnam said, “more than 50,000 Florida children are victims to this exploitation each year, and more than $100 million is stolen every year from those whose identities are compromised.” Adam Putnam has worked with Sen. Nancy Detert and Rep. Heather Dawes to introduce the KIDS Act, which is estimated to prevent 10,000 children from identity theft each year and save Florida more than $21 million annually by department economist Sergio Alvarez.

The KIDS Act (SB 242, HB 151) will follow in the footsteps of Maryland’s child identity theft law in that it enables parents or guardians to create a credit report for their children and subsequently freeze it to block an identity thief from abusing their credit. The House KIDS Act bill was referred to the Business and Professional Regulation Subcommittee just yesterday and has not scheduled a vote as of yet.

Florida Child Identity Theft Bill Progresses in Senate” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Senator Edward J. Markey and Rep. Joe Barton will soon be reintroducing their Do Not Track Kids Act, a bill that would update the existing Children’s Online Privacy Protection Act (COPPA), The Hill reports. Senator Markey, a member of the Senate Commerce, Science and Transportation Committee, and Rep. Barton, the co-char of the Congressional Bi-partisan Privacy Caucus, believe that COPPA needs to be updated to reflect the new “Internet ecosystem” of the 21st century.

They cite a recent report from Commonsense Media that found 70% of children under the age of eight have used a mobile device and those children spend triple the amount of time on these devices than in previous years. The Do Not Track Kids Act of 2011 proposed several key updates to COPPA that weredesigned to curb the tracking of minors’ activities on the Internet.

These updates included:

  • Restricting operators of a website, online service, online application, or mobile application directed to minors from collecting personal information if the purpose of doing so is for targeted marketing purposes.
  • Creating a Digital Marketing Bill of Rights limiting how, when and what information from minors may be collected by website operators.
  • Requiring website operators to provide clear notice about what geolocation the operator collects and how they use it, obtain verifiable parental consent prior to information collection, and provide to the minor or parent any geolocation information collected by the operator upon request.
  • Requiring website operators to implement mechanisms, or “eraser buttons,” that allows users to delete content that is publicly available on the website and contains or displays personal information of the minor.

The Do Not Track Kids Act of 2011 is similar to California’s recently passed SB 568, approved by Governor Brown on September 23rd. A common theme in both of these bills is the restriction against collecting information about minors for the purpose of targeted marketing purposes, although SB 568 only restricts information collection for the use of marketing certain products, not all. In addition, both pieces of legislation include a requirement for allowing minors to request the removal of certain content or information posted to a website; however, the Do Not Track Kids Act limits this requirement to information or content that contains or displays personal information of the minor.

It will be interesting to see if Sen. Markey and Rep. Barton make any changes to the new bill, such as banning the advertisement of certain products to minors on websites like SB 568 or requiring operators to disclose how they will treat Do Not Track signals from users’ browsers. We will be following the progression of this bill and keep you updated on any new provisions that may be added when reintroduced.

“Lawmakers to Reintroduce Do Not Track Kids Act” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Steve Peace and Michael Thorsnes, sponsors of the California Personal Privacy Initiative, have given up on collecting the 807,615 signatures needed to qualify the measure for the ballot.

The proposed measure sought to amend the California Constitution in a number of ways:

  1. to create a presumption that any and all personally identifying information collected for a commercial or governmental purpose is confidential
  2. to require the person or entity collecting personally identifying information for commercial or governmental purposes to use any and all reasonably available means to protect it from unauthorized disclosure
  3. to create a presumption of harm whenever someone’s confidential personally identifying information is disclosed without his or her authorization
  4. to create a safe harbor for unauthorized disclosure if there is a countervailing compelling interest and there is no reasonable alternative for accomplishing said interest

One of the effects of these changes would be a major impact on litigation as privacy and security data breach class actions often do not succeed due to the difficulty of proving harm to the plaintiffs. Just last month, an Illinois federal judge dismissed a class action lawsuit accusing Barnes & Noble Inc. for being responsible when a security breach of PIN pads in 63 of their retail stores may have divulged customers’ personal information. The judge dismissed the lawsuit, finding that the plaintiffs did not sufficiently show they had suffered any harm from the breach. A presumption of harm would have gone a long way towards helping the plaintiffs obtain a significant settlement from Barnes & Noble Inc.

California’s Legislative Analyst’s Office, in a review of the proposed constitutional initiative, found that the presumption of harm would “make it easier for individuals to win privacy lawsuits against state and local governments” and result in “unknown but potentially significant costs to state and local governments from additional or more costly lawsuits, increased court workload, data security improvements, and changes to information-sharing practices.” The Sacramento Bee reported that the Legislative Analyst’s Office opinion was a major reason for dropping the initiative saying that Steve Peace “struggled to coalesce the entire privacy community and ‘couldn’t in good conscious ask people to spend 25 million bucks’ on a proposal ‘where we were going to have to spend all of our time on defense’ because of the analyst’s analysis.”

“California Personal Privacy Ballot Initiative Dropped” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Governor Brown signed a landmark bill this Monday giving minors the power to have content or information posted on the internet removed at their request. SB 568, introduced by State Senator Darrell Steinberg, has two main provisions directed at improving the protection and privacy of minors on the Internet.

Sen. Darrell Steinberg told the Los Angeles Times SB 568 is “a groundbreaking protection for our kids who often act impetuously with postings of ill-advised pictures or messages before they think through the consequences.” The first restricts operators of an Internet website, online service, online application ormobile application directed to minors from marketing or advertising products including but not limited to alcoholic beverages, tobacco products, firearms and certain dietary supplements. The second requires the same group to notify minors that they have the option of removing any content or information they post on the internet and to honor any such requests made.

The second requirement will likely have a large effect on social media websites such as Facebook, Pinterest and Tumblr, where minors communicate with their friends and social networks. Kids and teenagers often post embarrassing information or pictures on websites that they may later regret or their parents discover and want their child to remove. This law would not just provide a remedy for minors to remove embarrassing posts, but it would also provide a way for minors to remove personally identifying information they posted on the Internet, such as a new driver’s license, without knowing that it can put them at increased risk of identity theft and fraud. This is a good thing.

Unfortunately, there are many questions that the text of the law does not answer. What exactly does “directed to minors” mean? The law defines it as “reaching an audience that is predominantly comprised of minors, and is not intended for a more general audience comprised of adults.” This vague definition may confuse website operators and leave them uncertain of whether they are targeted by this law. In addition, what exactly does an operator have to delete when requested by a minor and will it have any real effect? As Gregory Ferenstein wrote on TechCrunch, the law “ignores the reality that it’s nearly impossible to delete information from the net: embarrassing photos spread virally, and Internet archives automatically create copies of nearly every piece of information on the web.” He goes on to point out that most websites already allow users to delete a post. The law requires that Internet operators have to delete only the information personally uploaded by a minor. So, a repost of something they upload would not be required to be deleted and thus may limit the practical effectiveness of the law.

While the law may have some flaws, it is a step in the right direction for attempting to improve the privacy rights of children and teenagers. It will be interesting to watch how this law is interpreted and enforced by the California court system once it becomes effective January 1, 2015.

“California Increases Privacy Rights for Minors” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

The World Wide Web Consortium’s (W3C) Tracking Protection Working Group (TPWG) has suffered a major blow as the Digital Advertising Alliance (DAA), a “consortium of the leading national advertising and marketing trade groups,” has declared they are withdrawing from the TPWG.

In a letter addressed to W3C CEO, Jeff Jaffe, Lou Mastria, Managing Director of the DAA writes, “Despite extension after extension of its charter year after year by the W3C, the TPWG has yet to reach agreement on the most elementary and material issues facing the group. These open items include fundamental issues and key definitions that have been discussed by this group since its inception without reaching consensus…”

The TPWG was chartered more than two years ago to standardize the technology and meaning of Do Not Track by working with privacy activists and the advertising industry in order come up with a satisfactory self-regulatory system. In this time, the TPWG has failed to come to consensus on any of the issues needed to effectively create the self-regulatory system such as defining something as essential as the term “tracking.” The DAA’s departure comes shortly after experts Peter Swire and Jonathan Mayer left the group in August. Peter Swire is a law professor and privacy expert who was the co-chairman of the TPWG before he left to work with the Obama administration’s intelligence review panel. Jonathan Mayer of Stanford University is a graduate student in law and computer science who left the group in August after saying in July that the “parties are now further apart on the negotiations than they ever had been.”

The future of W3C’s TPWG is uncertain and the Federal Trade Commission (FTC) and privacy advocates in Congress have been waiting two years for progress. Avoiding government regulation of the Do Not Track system was one of the reasons for the creation of the TPWG; however, with this lack of progress, more attention and effort may be given to passing Do Not Track legislation.

Currently, Sens. Rockefeller (D-WV) and Blumenthal (D-CT) have a bill pending in the Senate called the Do Not Track Online Act of 2013. This bill would require the Federal Trade Commission to establish standardized mechanisms for people to alert websites that they do not want to be tracked and to create rules prohibiting online services from collecting information when a consumer selects a Do Not Track option on their Internet browser. The FTC has up to this point declined to recommend legislative action, but Agency Chairwoman Edith Ramirez told The Hill in late August that, “There may be a solution that can be achieved. That doesn’t mean to say that I’m willing to be waiting endlessly.” With the DAA’s departure from the TPWG, the FTC’s position may become more amenable to Do Not Track legislation.

This ambiguity surrounding the progress of the Do Not Track standards may have prompted California Assembly Member Al Muratsuchi to introduce AB 370, a bill amending the California Online Privacy Protection Act to require commercial websites and online services that collect personal data to disclose how they will respond to Do Not Track signals from a user’s Internet browser. AB 370 was passed by the California Senate and Assembly and now awaits Governor Brown’s signature. Continued lack of progress in developing and implementing Do Not Track standards may give reason for other states to enact similar legislation to California’s AB 370.

The DAA still believes that there is a non-regulatory solution to the Do Not Track problem and intends to create its own DAA-led group with a new process to evaluate Do Not Track signals and how they can enhance consumer privacy.

“Digital Advertising Alliance Withdraws from W3C Tracking Protection Working Group” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

The open enrollment period for the new health insurance exchanges created by the Affordable Care Act begins October 1, 2013. Americans will have until January 1, 2014 to come into compliance with the new law by purchasing health insurance coverage resulting in a surge of people looking to purchase health insurance from these health insurance exchanges in the coming months.

Most people will have several questions and need help navigating the maze of different option and requirements for each insurance plan. Millions of Americans will be need assistance in weighing their options and in order to do so, they will need to disclose personally identifying information and personal health information. The health insurance exchanges will have people assigned to the role of helping consumers determine what their options are, called navigators. These navigators will ask the individual for their Social Security number, medical history information, name, address and more in order to adequately assess their options under the Affordable Care Act.

We posted an article a few weeks ago regarding a coalition of State Attorneys General who expressed their concerns regarding the Affordable Care Act’s navigator program. Their primary concern was the lack of safeguards in the hiring process of navigators who will have extensive access to consumers’ personally identifying information and protected health information. The lack of criminal background checks make it possible for people with a criminal history, possibly including identity theft, to be employed as navigators.

This is a very legitimate concern as medical identity theft is one of the most devastating forms of identity theft. A victim’s medical records can be mixed with the identity thief resulting in misdiagnosis of illness or a doctor prescribing incorrect medicine. In addition, medical identity theft is incredibly difficult to resolve as the thief could potentially use the same medical identity multiple times, accumulating hundreds of thousands of dollars in medical bills.

This concern has led California State Assembly Minority Leader Connie Conway to introduce AB 1428. This bill would require “prospective employees, contractors, subcontractors, volunteers, or vendors, whose duties include or would include access to confidential information, personal identifying information, personal health information, federal tax information, or financial information” of Covered California to submit to the Department of Justice fingerprint images for the purpose of detecting any past state or federal convictions.

California has taken the initiative to resolve any inadequacies in the navigator program with this bill and other states may soon follow. AB 1428 has passed both the State Assembly and Senate and awaits Governor Brown’s signature.

Legislative Update – California Taking Obamacare Navigator Issue Into Its Own Hands” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Privacy concerns over the Affordable Care Act’s Navigator program has prompted thirteen State attorneys general to write a letter to Department of Health and Human Services Secretary Kathleen Sebelius requesting answers to their questions and concerns by August 28, 2013.

 “Navigators” are entities that will receive grants to carry out duties including:

  • Conducting public education activities to raise awareness of the availability of qualified health plans
  • Distributing information concerning enrollment in qualified health plans and the availability of premium tax credits
  • Facilitating enrollment in qualified health plans
  • Providing referrals to appropriate organizations or State agencies for people who have complaints or questions regarding their health plan

In carrying out their duties, these navigators will likely have access to people’s personally identifiable information (PII) including their Social Security numbers, tax return information and some medical history. The information that will be available to navigators is more than what is needed to commit identity theft and fraud and, as such, should be well protected; however, the State attorneys general claim that the policies regarding privacy are lacking. They point out multiple flaws regarding the program policies in their letter such as:

  • The program does not require uniform criminal background or fingerprint checks before hiring personnel and does not list any criminal acts that are per se disqualifying.
  • Training for personnel is lacking in that the program only requires 20 hours of initial training which was reduced from a previous 30 hours.
  • The program requires that state licensure or certification rules must not prevent the application of Affordable Care Act navigator requirements.

The open enrollment period begins October 1, 2013 and potentially millions of Americans will be disclosing their personal information to these navigators in order to receive help in understanding and enrolling in the qualified health plans available to them. Most Americans will be required to have health insurance effective January 1, 2014, as mandated by the Affordable Care Act. In just a few months, from October to December, millions of Social Security numbers and other pieces of PII will be trading hands as people try to obtain health insurance by the January 1st deadline. The need for proper screening, proper training and the protection of people’s personal information is clear. The State attorneys general have expressed legitimate concerns and we look forward to hearing the Department of Health and Human Services’ response.

“State Attorneys General Voice Concern Over Affordable Care Act’s Navigator Program” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.