Abine talks with the ITRC in the newest Fraudian Slip podcast about protecting your privacy online and what you can do to keep your information private 

  • The California Attorney General released a new tool to help consumers complain when websites make it difficult to take advantage of the state’s privacy law.  
  • Virginia and Colorado join California on the list of states to give consumers more privacy protections. Also, California’s privacy law will be even stronger in 2023 when voter-approved legislation goes into effect.  
  • The Identity Theft Resource Center (ITRC) sat down with Abine to discuss the changing landscape in online privacy and efforts aimed at protecting your privacy online. 
  • You can learn more about protecting your privacy online and other topics discussed in the podcast, and how to protect yourself from identity crimes by visiting the ITRC’s website
  • If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voicemail for an expert advisor to get advice on how to respond. Just visit www.idtheftcenter.org to get started.   

Below is a transcript of our podcast with special guest Rob Shavell, Co-Founder and CEO of Abine 

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast where we talk about all-things identity compromise, crime and fraud that impact people and businesses. Listen on Apple, Google, Spotify, SoundCloud or Podsite now. This month, August, we look at the ever-changing landscape surrounding personal privacy, particularly protecting your privacy online in an economy fueled by personal data.  

The California Attorney General recently released a new tool to help consumers complain when websites fail to make it easy to take advantage of the state’s privacy law. That law requires a business to have a link on the homepage that is clearly marked “Do Not Sell My Personal Information” so California residents can opt-out of data sales. 

Joining California on the list of states to give consumers more privacy protections are Virginia and Colorado. Also, California’s already strong privacy law will become even stronger in 2023 when legislation approved by voters goes into effect. Ohio, Pennsylvania and New York are also looking to pass similar laws aimed at protecting your privacy. 

Let’s not let this subtle point pass us by: Voter approved. The new California law was approved by a wide margin in 2020, and there is ample research that proves U.S. residents want stronger privacy protections. With that said, who is going to provide them and who will use them?  

Helping us to navigate the troubled waters of online privacy and efforts aimed at protecting your privacy online is the ITRC’s CEO Eva Velasquez and Abine’s Co-Founder and CEO Rob Shavell. Abine is an online privacy company that makes easy-to-use tools for consumers to control what personal information companies, third parties and other people see about them online.  

We talked with Rob Shavell about the following: 

  • What Abine does and its role in protecting your privacy online. 
  • The line between government protections, private sector protections and consumer self-protections. 
  • The concept of data minimization for businesses and consumers. 
  • Actions you should take in protecting your privacy online. 

We talked with Eva Velasquez about the following:  

  • The evolution of consumer attitudes about personal privacy. 
  • The consequences when privacy protections are inadequate or fail. 
  • The concept of data minimization for businesses and consumers. 
  • Actions you should take in protecting your privacy online. 

You can learn more about protecting your privacy online, as well as get help if you have been the victim of an identity crime by visiting the ITRC’s website at www.idtheftcenter.org. While you are there, sign up for our emails that alert you to the latest scamsmonthly data breach updates and tips to protect your identity.  

Be sure and join us next week for our Weekly Breach Breakdownpodcast and next month for another episode of The Fraudian Slip. 

  • The one-year anniversary of the California Consumer Privacy Act (CCPA) and CCPA enforcement has come. According to the California Attorney General (AG), 75 percent of complaints were resolved within 30 days. The other 25 percent are still within the 30-day grace period or are still under investigation.
  • The California AG’s report also includes 27 examples of complaints and what companies did to fix the potential violations.
  • California also released a tool that will make it easier for consumers to file complaints about businesses that do not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website’s homepage.
  • To learn about recent data breaches consumers and businesses should visit the ITRC’s data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

The Right Tool

Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for July 23, 2021. Our podcast is possible thanks to support from Experian and Sentilink. Each week we look at the most recent events and trends related to data security and privacy. This week we look at the California Consumer Privacy Act (CCPA), the state law that gives consumers a way to push back against data breaches, and the one-year anniversary of CCPA enforcement.

I’m sure most of us have heard a parent or mentor say at one time or another, “You need the right tool for the right job.” When it comes to protecting privacy and personal information, the Mac-Daddy of protection tools is the CCPA.

News Statistics Released About CCPA Enforcement

California Attorney General (AG) Rob Bonta recently published statistics about the number of complaints his office has received alleging CCPA violations, including some examples. Seventy-five (75) percent of the complaints were resolved within the 30 days the law gives a business to comply once they are notified of a potential violation. The other 25 percent are still within the 30-day grace period or are still under investigation.

The most interesting part of the AG’s report is the 27 examples of complaints and what companies did to fix the potential violations. Notices to cure have been issued to data brokers, marketing companies, businesses handling children’s information, media outlets and online retailers. Some businesses prompted hundreds of CCPA enforcement complaints, while others generated millions.

Potential violations that have been cured include:

  • A business that manufactures and sells cars failed to notify consumers of how personal information was used as part of a vehicle test drive in addition to other omissions in its privacy policy. 
  • A grocery chain required consumers to provide personal information in exchange for participation in its company loyalty programs. The company did not provide a Notice of Financial Incentive to participating consumers.
  • A social media app was not timely responding to CCPA requests, and users publicly complained that they were not receiving notice that their CCPA requests had been received or acted on. 
  • An online dating platform that collected and sold personal information did not have a “Do Not Sell My Personal Information” link on its homepage or adequately explained its data-sharing practices.

Tool Released to Make It Easier for California Residents to File Complaints

AG Bonta also released a tool that makes it easy for California residents to directly complain to a business that does not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website’s homepage. That’s required by the CCPA, and the direct consumer complaints can trigger the process that can lead to CCPA enforcement action by the state AG.

More tools that allow consumers to help police the CCPA’s provisions, including damages paid directly to consumers for certain data breaches, may be offered in the future.

Contact the ITRC

If you have questions about CCPA enforcement, or how to keep your personal information private and secure, visit www.idtheftcenter.org, where you will find helpful tips.

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during normal business hours (6 a.m.-5 p.m. PST).

Thanks again to Sentilink and Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

Accepting Cookies on New Websites You Visit? Here’s What to Consider

  • Most people in the U.S. have visited a website and accepted cookies. Cookie preferences can be traced directly to the European Union’s three-year-old privacy law, the General Data Protection Regulation (GDPR).
  • States are increasingly giving consumers the right to opt-out of data collection and use under new privacy laws. Also, some web browsers allow you to block most cookies, even if the website owner does not give you any cookie control.
  • There are also good cookies, known as “essential” and “performance” cookies. They help ensure you have a good website experience.
  • What makes a good cookie preference notice is one that starts with all cookies being turned off so you can choose to enable them.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

I Know It When I See It

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 2, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we talk about those annoying cookie preferences and notices that pop up when you visit a website.

In 1958, filmmaker Louis Malle released The Lovers, a movie so racy that it was banned in some states as “obscene.” That didn’t stop a theatre owner in Ohio from screening the film, leading to his arrest and ultimately what is believed to be the most quoted line from a U.S. Supreme Court ruling.

The question before the court was how to define “obscene”? That prompted Justice Potter Stewart to write in his opinion overturning the criminal conviction, and this is paraphrased, “I don’t know how to define pornography, but I know it when I see it.” That’s kind of how it is with cookie preferences and other privacy notices on websites these days. I don’t know how to describe what’s a good one, but I know one when I see one.

Cookie preferences can be traced directly to the European Union’s (EU) three-year-old privacy law, the General Data Protection Regulation (GDPR). The GDPR requires knowing and informed consent before data can be collected about an EU resident by a company anywhere in the world.

That provision has doomed some kinds of cookies and data collection practices in the EU, such as web tracking cookies. It’s impractical to get permission from a website visitor every time a tracking cookie is ready to attach before the snippet of code is launched to collect your information.

For the remaining forms of allowable cookies, that’s where the cookie preference notice comes into play. You have to give your permission if you are in the EU or U.S. Many companies that have to be GDPR compliant give you the chance to set your own cookie preferences, even though it is not necessary.

Other companies in the U.S. try the old “negative selection” approach for non-EU visitors. That is to say, you will see a notice that says something to the effect of “if you continue to use our website, you agree to our policies including the use of cookies.”

That is not allowed under the GDPR for EU residents, but it’s fair game in the U.S., at least for now. Increasingly, states are giving consumers the right to opt-out of data collection and use under new privacy laws. Some web browsers – including Safari, Firefox, DuckDuckGo and Brave – allow you to block most cookies, too, even if the website owner does not give you any cookie control.

Notice we said, “block most cookies.” Some cookies are beneficial and do not collect mass amounts of data about you and where you go on the web. They are known as “essential” and “performance” cookies. They help ensure you have a good website experience. When given the choice of allowing those kinds, you are fine accepting cookies.

The key here is consent and giving you the ability to decide for yourself if you want to load up on them; accepting cookies so you can see more ads about Nike Air Force One sneakers as you search the web. What makes a good cookie preference notice? One that starts with all cookies being turned off so you can choose to enable them. That makes it easy to know “it” when you see it.

Contact the ITRC

If you have questions about how to keep your personal information private and secure, visit www.idtheftcenter.org, where you’ll find helpful tips. You can also sign-up to receive our regular email updates on identity scams and compromises. Look out for our analysis of data breaches in the first half of 2021 that will be released on July 8.  

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.  

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

On June 28, 2021, the Identity Theft Resource Center (ITRC) discovered a particular form of a phishing attack (also known as a brand spoofing attack) imitating our non-profit organization. The spoofed email, which was determined to be an identity monitoring services scam, sent offers of an “elite search account” with monitoring services to “track your social security, name, address, phone, and any other pertinent information that may be compromised over the web.”

The ITRC Never Charges Consumers or Collects Sensitive Information

The ITRC never charges consumers for assistance and any communication you receive claiming to offer an ITRC service for a fee is a scam. The ITRC only provides no-cost identity theft victim remediation services for individuals that does not include a monitoring service.

The ITRC also does not request or collect sensitive personal information like Social Security numbers, driver’s license numbers or physical addresses. The ITRC may ask for your email or phone number to send you free identity theft resources and educational advice. The limited information you share is never sold to anyone and only to be shared with our research partners with your permission.

What is a Brand Spoofing Attack?

For Consumers:

With this attack style, a cybercriminal imitates a well-known brand to offer a product or service. The attack may also include a live operator acting as a contact center service representative.  Consumers need to follow the best practices for avoiding phishing attacks:

  • Be suspicious of emails that claim you must pay, click for your offer or open an attachment immediately.
  • Think about if you have ever interacted with the company before. If this is a new company or account, go directly to their website or call to ask them if the offer is legitimate.
  • If you think you clicked on a malicious attachment, be sure to run an update on your computer and consider anti-virus software.
  • If you gave away your personal or financial information, place a credit freeze on your credit reports and monitor your accounts regularly.

For Businesses:

If your business email, website, social media accounts, or text services were used in a brand spoofing attack, notify your customers or visitors of the spoof and the steps they should take if they have given their account password or financial information to a criminal. You may direct victims to the ITRC’s contact center or website for free assistance.

Read more about business email imposter recovery steps to take with advice from the Federal Trade Commission.

What You Need to Know About Identity Monitoring Services Scams

In an identity monitoring services scam, an identity thief poses as a well-known brand or government agency and contacts you to say your identity has been compromised. They have discovered your personal information on the dark web and insist you should pay for services to monitor your identity.

The identity monitoring services scam is similar to the IT support scam where the cybercriminal poses as Microsoft, Apple, etc. to say your computer has been infected with malware and is alerting you. They then urge you to clean it up as soon as possible and will take your credit card information or payment through gift card to clean up the infection for you.

Report to the ITRC

If you receive an email, phone call or other communication that asks for your personal or financial information to pay for a service, report it directly to the ITRC to receive our free remediation services to help protect your identity and help prevent additional identity crimes. The ITRC’s expert advisors will help you take additional steps if required, to secure your identity.

Contact the ITRC for Free Identity Theft Information

If you accidentally click on a link of a brand phishing attack or provide information to what you discover later was a fake website form, contact the ITRC toll-free at 888.400.5530 or live-chat with an expert advisor on the company website www.idtheftcenter.org. An advisor will walk you through the steps to take to protect yourself from any possible identity misuse. 


The ITRC is a non-profit organization established in 1999 to empower and guide consumers, victims, business, and government to minimize risk and mitigate the impact of identity compromise and crime. Read more about our mission.

  • Amazon recently connected to its new network, “Sidewalk,” leaving some people wondering how to opt-out of Amazon Sidewalk. It takes a little piece of people’s network bandwidth, who have either an Amazon Echo or a Ring doorbell connected to their Wi-Fi, and shares it with others who have Amazon devices to create a mesh network.
  • While Amazon says the information will not be shared with other devices on the network, it still connected to people’s devices without their permission.
  • To opt-out of Amazon Sidewalk on an Amazon speaker, open the Alexa mobile app and go to More > SettingsAccount SettingsAmazon Sidewalk and choose Disable. For Ring doorbell,in the app go to the Control Center Amazon SidewalkDisableConfirm.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Sharing is Not Caring

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for June 11, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week, we will talk about how your parents, grandparents and teachers were wrong when you were young – at least when it comes to cybersecurity. We will also discuss how to opt-out of Amazon Sidewalk, a new mesh network.

How many times did you hear someone tell you that you need to share your toys with your sister or brother? “Share what you have” with your friends probably was thrown in there, too – along with this chestnut: sharing is caring.

That might be true on the playground when you’re talking about a cup of goldfish crackers. However, in today’s episode, we are talking about privacy and cybersecurity. Sharing is definitely NOT caring, especially when you’re forced to give up a piece of your internet bandwidth to your neighbors.

Amazon’s New Mesh Network “Sidewalk”

We are talking about Amazon’s new mesh network known as “Sidewalk.” Sounds innocent enough, right? It makes you think of walking around your neighborhood waving at your friends sitting on their front porch while you take a stroll with your trusty dog Rex.

Except in this scenario, you have an Amazon Echo smart speaker and a Ring doorbell connected to your Wi-Fi. Rex is wearing a tile smart tag, so you can find him when he runs away to make a deposit on a neighbor’s lawn. All of those Amazon smart devices are now automatically connected to the new Sidewalk network that went live on June 8, without your permission.

What the New Sidewalk Network Does

Right about now, you may be wishing you could trade that glass of lemonade you have been nursing on your walk for something a little stronger because chances are you’ve never heard of Sidewalk. That’s what Amazon calls its new local network that takes a little piece of your network bandwidth, up to 500 MB per month, and shares it with your neighbors who also have Alexa hanging around their houses.

The idea is it boosts Wi-Fi signals in weak areas by pooling the bandwidth of every house that has an Amazon device on a network. This “take a little here and give a little there” approach is known as a mesh network.

What It Means

Amazon hasn’t been shy about touting the benefits of this kind of expanded network. It means when Rex runs away, that tile smart tag you put on his collar can be tracked as long as Rex is near the new neighborhood-wide network. It means a sketchy signal will not prevent your Ring doorbell from showing you that pimply-faced kid who just showed up to take your daughter to the movies. Also, it means you can ask Alexa to tell you a joke in parts of your house where you couldn’t connect until Sidewalk launched.

What it doesn’t mean, according to Amazon, is that Alexa will share your information with the other devices in your neighborhood that are now connected to the wider network. There are also strict limits on how much bandwidth Sidewalk can use per month, so your internet bill doesn’t go through the roof.

While that’s good to know, it doesn’t change the fact that Sidewalk is, like Alexa and Ring, always on and you were not asked if you wanted to join the network.

How Opt-Out of Amazon Sidewalk

Fortunately, there is a way to jump off the Sidewalk by changing the settings on your Amazon devices. Here’s how to opt-out of Amazon Sidewalk:

  • For the Echo family of speakersopen the Alexa mobile app and go to More > SettingsAccount SettingsAmazon Sidewalk. Choose Disable, and you’re done.
  • In the Ring app, go to the Control Center Amazon SidewalkDisableConfirm.

While you’re busy putting your Wi-Fi back in the house where it belongs, make sure you have a strong password on your home network to keep cybercriminals and your cheapskate neighbor off your network. Sorry, we can’t do anything about the kids or dogs on your lawn.

Contact the ITRC

If anyone has questions about keeping their personal information secure or on how to opt-out of Amazon Sidewalk, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST).

Thanks to Experian for supporting the ITRC and this podcast. Next week be sure to check out our sister podcast, The Fraudian Slip when we talk with the CEO of LexisNexis Special Services about the role of information in preventing identity crimes. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

Synchrony shares with the ITRC in the newest Fraudian Slip podcast the latest in data minimization, privacy laws and their impact on consumers 

  • On this month’s Fraudian Slip podcast, we are talking about the evolution of privacy. In 2018, the European Union adopted a data privacy law (General Data Protection Regulation, known as the GDPR). Since then, multiple states in the U.S. have either adopted laws with many of the same principles, or are actively considering one.  
  • The ITRC sat down with Synchrony, one of the leading financial services companies based in the U.S., to discuss these privacy issues and much more.  
  • To learn more, listen to this week’s episode of The Fraudian Slip
  • You can also learn more about the privacy, security and identity management topics discussed in the podcast and how to protect yourself from identity fraud and compromises by visiting the ITRC’s website
  • If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voicemail for an expert advisor to get advice on how to respond. Just visit www.idtheftcenter.org to get started. 

Below is a transcript of our podcast with special guest Ricky Davis, Sr. Vice President & Chief Privacy Officer for Synchrony 

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud that impact people and businesses.  

This month, May, we are going to talk about the evolution of privacy. Historically, we have always treated privacy, cybersecurity and identity management – that’s how your identity information is created and used – as three separate and distinct issues. We have a handful of federal laws that deal with identity and cybersecurity – primarily around health and financial information  

Every state, the District of Columbia and U.S. territory has a data breach notice law that requires consumers to get an alert if their personal information is exposed in a cyberattack or just good old-fashioned dumpster diving. We also have a patchwork quilt of industry self-regulations and government regulations that address the security required to protect data that companies keep on their customers and prospects. 

However, there is a change, and an evolution of privacy, in the wind. What started in the European Union in 2018 with the adoption of a single, comprehensive data privacy and cybersecurity law has now spread to the U.S. California has adopted many of the principles found in the EU’s General Data Protection Regulation (GDPR). Now, the Commonwealth of Virginia has joined the club.  

A dozen other states are also actively considering new privacy laws that add rights for consumers, obligations for businesses and fundamentally change the way we think about how we create, use, store, share and protect personal information. 

We talked with Ricky Davis, Sr. Vice President & Chief Privacy Officer for Synchrony, one of the leading financial services companies based in the U.S., about the following: 

  • The role of a Chief Privacy Officer 
  • The benefits to an organization to have a privacy focus 
  • What we have learned about the GDPR after three years that will help U.S. consumers and businesses 
  • The concept of data minimization (don’t collect or store more than you need for longer than you need it) and why it is important 
  • State laws versus a comprehensive federal law 

We also talked with ITRC CEO Eva Velasquez about the following:  

  • The practical effect on consumers of having three separate infrastructures – privacy, security and identity management 
  • The benefits to consumers from having more rights to access data 
  • State laws versus a comprehensive federal law 

For answers to all of these questions, and more on the evolution of privacy, listen to this week’s episode of The Fraudian Slip Podcast.  

Contact the ITRC 

You can learn more about data privacy, cybersecurity and other identity-related issues by visiting the ITRC’s website at www.idtheftcenter.org and by listening to our sister podcast, the Weekly Breach Breakdown

If you have questions about how to protect your personal information, or if you believe you have been the victim of an identity crime or compromise, talk to one of our expert advisers on the phone, by live-chat or by email during normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started. 

Be sure and join us next week for our Weekly Breach Breakdown podcast and next month for another episode of The Fraudian Slip. 

  • With data breaches on the rise last 30 days to 45 days, it has been one of the most intense periods seen in a while because of the pace, scope and impact of the crimes.
  • GEICO suffered a data breach impacting 132,000 people and could lead to unemployment fraud; the Pennsylvania Department of Health and ParkMobile both had data incidents due to third-party providers; and Peloton had a problem with third-party software, allowing other users to see people’s personal information.
  • Researchers guessed up to 80 percent of iPhone and iPad users would take advantage of Apple’s new anti-tracking privacy feature. However, based on early downloads of the iOS update, 96 percent of users are using the new feature to opt-out of app-tracking.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Too Fast, Too Furious

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for May 14, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we’re highlighting data breaches on the rise the past 30 days in one of the most intense periods of cyberattacks and data breaches we’ve seen in a while.

With all due respect to Vin Diesel and the rest of the cast of the Fast and Furious movie franchise, we’re calling this week’s episode “Too Fast, Too Furious” because of the pace, scope and impact of identity compromising events over the past 45 days – some of which are still ongoing. We also have a quick update on the impact of the recent privacy tools added to iPhones and iPads.

ITRC’s Notable Breaches for April

In the ITRC’s most recent monthly report of data breaches, we highlighted three major events:

  • GEICO’s breach of driver’s license data that impacted 132,000 customers;
  • The contact tracing service hired by the Pennsylvania Department of Health failing to secure the COVID-related personal health information of Keystone state residents; and,
  • Twenty-one (21) million users of the ParkMobile app having their information exposed thanks to a vulnerability in third-party software.

Each of these is unique in some ways but also reflective of broader trends.

GEICO

In the case of GEICO, when announcing the data breach at the nation’s second-largest auto insurance company, officials said the stolen data was being used as part of unemployment insurance fraud schemes. Pandemic-related benefits fraud is estimated to be closing in on $100 billion. The ITRC is on pace to surpass the total number of unemployment identity fraud victims we helped in 2020 by the end of May 2021.

Pennsylvania Dept. of Health & ParkMobile

The events involving the Pennsylvania Department of Health and the ParkMobile parking app are two variations of the same issue: problems with third-party suppliers. In the case of the Pennsylvania Department of Health, the vendor supplying COVID-19 contact tracing services didn’t secure the personal information of 72,000 people. With ParkMoble, a third-party software issue exposed user’s personal information. Issues with supply chains are an escalating trend when it comes to data compromises, especially cyberattacks where threat actors can steal the data of multiple companies in a single attack.

Peloton

More recently, an issue with third-party software also allowed users of the popular Peloton exercise bikes to see the personal information of other users. The flaw was found by an independent cybersecurity researcher who reported the issue to Peloton, which did not initially respond to his information. Ultimately, Peloton fixed the issue early this month, but not before opening three million subscribers to having their information exposed. Peloton has since acknowledged they have fixed the problem, and there is no evidence of anyone stealing the user information.

Update on the New Apple Privacy Feature

Finally, an update on how many people are taking up Apple’s offer to block mobile app owners from collecting and selling user data without first getting consent. Researchers guessed before the launch of the new anti-tracking privacy feature that as many as 80 percent of iPhone and iPad users would take advantage of the blocking technology.

The actual numbers based on early downloads of the iOS update is 96 percent of users are saying no to app-tracking. That’s a giant obscene gesture to companies that rely on third-party data for marketing and advertising and the platforms that collect and sell user information. Now here is the next question: Who will follow Apple’s lead in addressing the privacy and cybersecurity concerns of consumers?

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, data breaches on the rise or on the new Apple privacy update, they can visit www.idtheftcenter.org. They will find helpful tips on these and many other topics. People can also sign-up to receive our regular email updates on identity scams and compromises.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to listen next week to our sister podcast – The Fraudian Slip – when we’ll talk to the Chief Privacy Officer of Synchrony, a leading financial services company. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • A new Apple privacy update, iOS 14.5, lets consumers stop Apple apps from tracking them.
  • Unless someone gives permission to an app, it cannot use their data for targeted ads, share their location data with advertisers, or share their advertising identity or any other identifiers with third parties.
  • If you do not want to be tracked by your Apple device, download Apple’s latest update (14.5), and select Settings > Privacy > Tracking, and toggle off Allow Apps to Request to Track. You can also decide on an app-by-app basis by selecting “Ask App Not to Track” or “Allow” once you download a new app.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

He Loves Me Not

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 30, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we’re going to focus on the seismic event in the data privacy world.

In Henry IV, Shakespeare’s play about taking action while others fail to act, Lady Percy says, “Some heavy business hath my lord in hand, And I must know it, else he loves me not.”

In this case, she’s referring to plans for a rebellion. However, in the context of this week’s episode, we’re talking about the new Apple privacy update, which gives consumers more control over their data as a substitute for privacy legislation. Later in the article, we will tell people how to take advantage of a new feature from the makers of the iPhone and iPad.

New Apple Privacy Update Feature

In an earlier episode, we talked about Apple’s controversial decision to add a built-in privacy feature that would block the ability of applications to track users. That data is used to serve ads to people either by the app owner, or if it’s sold to a third party that uses the information to target people with ads as they travel around the digital world.

Consumers Can Opt-Out of Being Tracked By their Apple Apps

Apple announced the new App Tracking Transparency feature in June 2020 to give app developers plenty of time to prepare for the change. And a big change it is. Unless someone gives permission to an app – including those made by Apple – it can’t use one’s data for targeted ads, share their location data with advertisers, or share their advertising identity or any other identifiers with third parties.

Many Privacy Experts & Consumer Advocates Favor the Change

Privacy experts and consumer advocates think the new Apple privacy update is a great step forward in giving people more direct control over their data, who has access to it, and how it is used. Advocates have long sought a shift in the U.S. to a more European privacy model where consumers must give their permission before personal information is collected and used.

From the beginning of the digital economy, the U.S. has built business models on a no-option basis. That means people have no choice but to surrender their personal information, which then becomes the property of the business, not them.

Thanks to a strong European privacy law that went into effect in 2018 – and several state laws and regulations in California, New York and Virginia – we are beginning to see the ability of consumers to “opt-out” of certain types of data collection and sales. That is to say consumers can tell a company to stop collecting, selling or sharing their information.

However, that approach is not universal since the U.S. has no national privacy law, and 48 of the 50 states have not passed specific data privacy laws. Enter the Apple privacy update that allows customers to block data collection.

What You Should Do If You Don’t Want to Be Tracked by Your Apple Device

If you don’t want to be tracked by your Apple devices, here’s what do you need to do:

  • Download and install the new iOS version 14.5 on your iPhone or iPad.
  • Once you do that, you can block access on an a la cart basis. When you download a new app, you will be asked if you want to let the app track your activity. You can select “Ask App Not to Track” or “Allow” if you are okay with that application collecting and using your data.
  • You can also opt-out of app tracking across every app you download by going to Settings > Privacy > Tracking, and toggling off Allow Apps to Request to Track. That way, any new app will be automatically informed you have requested not to be tracked. Also, all apps (unless you’ve already permitted them to track you) will be blocked from accessing your device’s information used for advertising. 
  • For apps that you have already downloaded and agreed to allow tracking, you can still turn those permissions on or off on a per-app basis in your device settings. 

The Lasting Effects Are Still Unknown

Predictions on how the Apple privacy update will affect consumer behavior, data sales, and ad revenues range from “meh” to Chicken Little-level “the sky is falling.” We will revisit this topic once we know if we can go about our business or need a hard hat.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, or on the new Apple privacy update, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • The California Attorney General announced a new California Consumer Privacy Act (CCPA) regulation that bans a business practice that makes it more difficult for consumer privacy opt-out.  
  • The new CCPA regulation means businesses will not be able to direct consumers to different web pages or to sit through explanations of why they should not opt-out. It also means the addition of a new button for companies to use to guide people where they can opt-out of having their data sold. 
  • The American Medical Collection Agency (AMCA) settled with 41 state Attorney Generals over the 2019 AMCA data breach. If AMCA does not live up to the settlement terms, it could lead to $21 million in fines to be paid to the states. 
  • For more information on the new CCPA regulation, consumer privacy opt-outs, and the AMCA data breach settlement, listen to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown podcast. 
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.   
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org

But Wait, There’s More! 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 19, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. 

Back in the early days of infomercials, there would come the point in a television ad selling the latest knife set or blender when the person making the pitch would stop, look earnestly into the camera, and shout, “but wait, there’s more!” That’s the title of this week’s episode, where we look at a new California Consumer Privacy Act (CCPA) regulation and provide an update on a major 2019 data breach.  

New CCPA Regulation and its Effect on Consumer Privacy Opt-Outs 

Even though the CCPA has been in effect for more than a year, there’s an important part of the legislative process that tends to be left out of civics lessons. Most laws require regulations to be adopted to enforce them. 

The new CCPA regulation formally adopted this past week was proposed in response to a practice known as “Dark Patterns.” This practice makes exercising one’s right so confusing or frustrating that people give up trying.  

Consumers may be directed to another web page, forced to click on multiple pages, or scroll through a series of screens. People may even have to sit through a long explanation of why they shouldn’t opt-out of allowing a company to sell their data. 

That’s not what the California legislature had in mind when it passed the law in 2018. There were promises it would be easy for Golden State residents to exercise their new-found privacy rights. Chief among those rights was a requirement for businesses governed by the CCPA to put a “Do Not Sell My Information” button in a prominent place on the web pages.  

Along with banning practices that impede a consumer privacy opt-out of data sales, the new CCPA regulation also includes a new button that companies can use to help guide consumers to where on their website they can go to exercise their privacy rights.  

Known as the Privacy Options icon, the blue website button was designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information. It was tested against other icons to determine the best design for communicating consumers’ privacy choices. 

Look for those coming to a website near you. 

But wait, there’s more! 

American Medical Collection Agency Settles with States over 2019 Data Breach 

In 2019, medical debt collection company, American Medical Collection Agency (AMCA), revealed the company had been the target of an eight-month-long cyberattack. It resulted in a data breach of information regarding at least seven million people and possibly as many as 21 million people. Shortly after announcing the security and data breaches, AMCA filed for bankruptcy. 

Forty-one state attorney generals intervened in the bankruptcy proceeding recently and received the court’s permission to enter into a settlement with AMCA. No financial penalties apply because of the financial condition of the company. However, AMCA agreed to a series of cybersecurity upgrades and ongoing audits. If AMCA fails to live up to the terms of the agreement, it will trigger $21 million in fines to be paid to the states. 

As Steve Jobs would say, just one more thing. 

Contact the ITRC 

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics.  

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • Changes are about to happen when it comes to mobile device privacy. Privacy advocates have long sought regulations in the U.S. to mandate opt-in requirements rather than opt-out.  
  • In the spring, Apple will change their mobile operating system to automatically block data collection unless someone explicitly opts-in. 
  • Some advertising experts estimate that between 50 to 75 percent of iPhone users will pass on agreeing to share data based on experiences with other opt-in opportunities. Some researchers believe as few as five percent of Apple product owners will opt-in. 
  • The trend in marketing and advertising gives consumers more of a voice in what information is collected about them and how it is used. It’s the core of modern privacy – informed consent. The more transparency that exists about personal data and its use, the more informed the consent. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for February 19, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we look less at security and more at privacy, specifically about major changes that are about to happen to mobile device privacy and how that relates to our travels around the internet. 

Sir Walter Scott wrote in his epic poem – “Oh what a tangled web we weave when first we practice to deceive.” That gives us the title for this week’s episode: “A Tangled Web.” 

Cookies on the World Wide Web 

From the earliest days of the internet, when it was still called the “World Wide Web,” small pieces of code were added to websites that would attach to a website visitor’s browser. The code snippet was called a “magic cookie” because it would help websites remember someone already visited the website and provided information that personalized the experience. 

Privacy Concerns Around Tracking Cookies  

Over the next 20 years, the amount of data collected by cookies and how cookies were used to track movement around the web became a source of privacy concerns. In 2018, the European Union (EU) became the first government to regulate cookies to require website owners to get visitors to express permission to attach a tracking cookie – before the web content the user was trying to access could be delivered.  

The rule’s practical effect was to end the practice of using tracking cookies to collect consumer information to fuel online advertising – first in the EU and now globally. The major browser makers – Apple, Mozilla, Microsoft and Google – have all blocked third-party tracking cookies or will soon do so. 

Identifier for Advertisers (IDFA) on Apps 

Moving around the internet with a mobile device is a bit little different. Most people use an app rather than a browser to access the web. Instead of cookies, there is a different piece of code known as an Identifier for Advertisers (IDFA) that collects and reports who and how one uses an app.  

However, unlike a cookie, an IDFA can be managed easily in a phone or tablet’s settings if the device maker allows one to opt-out of app data collection. The default settings on all smartphones today are to enable data collection from apps.  

Opt-In and Opt-Out Requirements 

Here’s where we talk about the big changes on the horizon in mobile device privacy. Privacy advocates have long sought regulations in the U.S. to mandate opt-in requirements rather than opt-out. This is so consumers have the opportunity to make an informed decision about what data is collected, by whom, and how it is used. To date, most laws and regulations – if they mandate any consumer consent at all – require consumers to be offered the chance to opt-out of data collection. 

Apple to Block Data Collection Unless Someone Opts-In 

However, in the spring, Apple will change their mobile operating system to automatically block data collection unless someone explicitly opts-in. In fact, the first time someone opens an app after the upgrade, they will be asked if they want to allow data collection. That’s a monumental change in mobile app privacy from today’s opt-out world. 

People may have read in the media that not everyone is happy about this change. Facebook and other large advertisers are concerned with the loss of consumer data that will result if a large number of iPhone and iPad users decline to opt-in to data sharing.  

Some advertising experts estimate that between 50 to 75 percent of iPhone users will pass on agreeing to share data based on experiences with other opt-in opportunities. Some researchers project as few as five percent of Apple product owners will opt-in. 

The clear trend in marketing and advertising is giving consumers more of a say in what information is collected about them and how it is used. It’s the core of modern privacy – informed consent. The more transparency that exists about how personal data is used, the more informed the consent. 

Informed consent includes understanding that there will be fewer targeted, personalized ads with less personal data available to marketers and advertisers. Also, there may be fewer free products and services as website owners add fees or subscriptions to make up for lost revenue from data sales. 

Apple has not announced when the update that includes the new mobile device privacy settings will be released, so consumers should stay tuned for more details. 

Contact the ITRC 

If anyone has questions about protecting their personal information, they can visit www.idtheftcenter.org, where they will find helpful tips on this and many other topics.  

If someone thinks they have been the victim of an identity crime or a data breach and need help figuring out what to do next, they can contact us. Victims can speak with an expert advisor on the phone (888.400.5530), live-chat on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started. 

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown